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CYBER SECURITY: U.S. VULNERABILITY AND 
PREPAREDNESS 


THURSDAY, SEPTEMBER 15, 2005 

House of Representatives, 

Committee on Science, 

Washington, DC. 

The Committee met, pursuant to call, at 10:00 a.m., in Room 
2318 of the Rayburn House Office Building, Hon. Sherwood L. 
Boehlert [Chairman of the Committee] presiding. 


( 1 ) 
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HEAHING CHARTER 

COMMITTEE ON SCIENCE 
U.S. HOUSE OF REPRESENTATIVES 

Cyber Security: U.S. Vulnerability 
and Preparedness 

THURSDAY, SEPTEMBER IB, 2005 
10:00 A.M.-12:00 P.M. 

2318 RAYBURN HOUSE OFFICE BUILDING 


1. Purpose 

On Thursday, September 15, 2005, the House Science Committee will hold a hear- 
ing to examine the extent of U.S. vulnerability to cyber attacks on critical infra- 
structure such as utility systems, and what the Federal Government and private 
sector are doing, and should be doing, to prevent and prepare for such attacks. The 
hearing will also examine what duties should be given to the new Assistant Sec- 
retary for Cyber Security and Telecommunications at the Department of Homeland 
Security. 

2. Witnesses 

Mr. Donald “Andy” Purdy is Acting Director of the National Cyber Security Divi- 
sion at the Department of Homeland Security (DHS). Prior to joining DHS, he 
served as senior advisor for Information Technology Security and Privacy to the 
President’s Critical Infrastructure Protection Board. 

Mr. John Leggate is the Chief Information Officer at BP Inc. (formerly known as 
British Petroleum). In addition, he is Chairman of the Chief Executive Officers’ 
Roundtable on Digital and Cyber Infrastructure Security at the industry organiza- 
tion Business Executives for National Security. 

Mr. David Kepler is Corporate Vice President of Shared Services and Chief Infor- 
mation Officer of The Dow Chemical Company. In addition, he leads the Chemical 
Sector Cyber Security Information Sharing Forum, an industry association. 

Mr. Gerald Freese is the Director of Enterprise Information Security at American 
Electric Power, one of the largest electric utilities in the United States. He has also 
been active in the North American Electric Reliability Council-coordinated develop- 
ment of cyber security standards for the energy industry. 

Mr. Andrew Geisse is the Chief Information Officer of SBC Services Inc. (formerly 
Southwestern Bell Corporation), the largest telecommunications carrier in the 
United States. 

3. Overarching Questions 

• How do critical infrastructure sectors depend on public and private informa- 
tion systems? What are the possible consequences for these sectors of disrup- 
tion or attack on their information systems? What steps are being and should 
be taken to secure these systems? 

• What are the most critical responsibilities of the Department of Homeland Se- 
curity (DHS) in cyber security for critical infrastructure sectors, and what are 
the most urgent steps the new Assistant Secretary for Cyber Security and 
Telecommunications should take? 

• In what areas are current cyber security technical solutions for critical infra- 
structure sectors inadequate? Where is further research needed to mitigate 
existing and emerging threats and vulnerabilities? How should federal agen- 
cies, such as DHS, the National Science Foundation (NSF), the National In- 
stitute of Standards and Technology (NIST), and the Defense Advanced Re- 
search Projects Agency (DARPA), and academic researchers work with indus- 
try to define priorities and support research in these areas? 
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4. Issues 

Is the U.S. adequately protecting critical information systems and is the 
U.S. able to detect, respond to, and recover from a cyber attacks on critical 
infrastructure? 

While industry and the Federal Government have increased their focus on cyber 
security in recent years, vulnerabilities remain, and many experts believe the U.S. 
needs to do more. An informal survey by a business group early this year found that 
in the telecommunications, energy, chemical, and transportations industries, execu- 
tives estimated that 20 to 35 percent of their revenue depends directly on the Inter- 
net. Yet despite the crucial role of information technology, the vulnerabilities in in- 
formation technology systems are m 3 Tiad . About 10 new entries are added each day 
to the National Vulnerability Database (maintained by the National Institute of 
Standards and Technology), which contains about 12,000 entries describing 
vulnerabilities in commonly used information technology products. (Statistics about 
attacks on critical infrastructure are hard to obtain because such attacks are often 
not reported.) 

Is there are clear line of responsibility within the Federal Government to 
deal with cyber security? 

When DHS was formed in 2002, cyber security responsibilities (other than re- 
search and development) were assigned to the Assistant Secretary for Infrastructure 
Protection. Ever since, industry representatives have repeatedly expressed concern 
that cyber security has been a distant second to physical security in DHS’s critical 
infrastructure protection activities and that the lack of a high-level official dedicated 
to cyber security has meant that the Department has failed to devote attention and 
resources to cyber security. In May 2005, the Government Accountability Office 
(GAO) found that DHS was having trouble with a number of its cyber responsibil- 
ities, including developing national cyber threat and vulnerability assessments and 
government/industry contingency recovery plans for cyber security, establishing ef- 
fective partnerships with stakeholders, and achieving two-way information sharing 
with these stakeholders. (The summary of this report is included in Attachment A.) 
In response to Congressional and industry concerns, the Secretary of Homeland Se- 
curity created in July the new position of Assistant Secretary for Cyber Security and 
Telecommunications to bring a higher profile to this area and high level attention 
to these problems. The position has not yet been filled. 

Are private companies doing enough to secure their information systems? 
To what extent are they coordinating with each other and the Federal Gov- 
ernment on cyber security? 

The record is mixed. For many companies, it can be difficult to quantify the risks 
associated with their dependence on information systems and hence difficult to jus- 
tify investment in cyber security. In other cases, the relevant cyber security tech- 
nologies may not be available. In many industries, companies have undertaken 
cyber security activities within industry organizations to set standards, share best 
practices, and work with information technology companies to improve the security 
of information systems and increase their cyber security options. (The companies 
testifying have generally been leaders in taking cyber security seriously.) In some 
cases, cyber security work has been hampered by the problems in the Federal Gov- 
ernment described above. Industry groups have indicated that they do not yet trust 
the processes for sharing sensitive information related to their cyber security with 
the government and have not yet been convinced of the value of information and 
services DHS would provide in return. 

What should the priorities be for federal cyber security research and devel- 
opment programs? Is funding for these programs adequate? 

Recommended areas for federal cyber security research in general were outlined 
in the recent report^ of the President’s Information Technology Advisory Committee 
(PITAC) and include monitoring and detection technologies, software quality assur- 
ance processes, authentication techniques, mitigation and recovery technologies, and 
metrics, benchmarks, and best practices. The PITAC report recommended substan- 
tial increases in funding at the National Science Foundation (NSF), DHS, and the 
Defense Advanced Research Projects Agency (DARPA). (Currently, funding for cyber 
security research programs at NSF and the National Institute of Standards and 


1 The President’s Information Technology Advisory Committee released their report. Cyber Se- 
curity: A Crisis of Prioritization, on March 18, 2005. It is available on line at http:! / 
www.mtrd.gov I pitac ! reports ! 20050301 -cybersecurity / cybersecurity.pdf. 
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Technology (NIST) is well below the levels authorized in the Cyber Security Re- 
search and Development Act. ) The Cyber Security Industry Alliance, an association 
of cyber security software, hardware and services companies, the Internet Security 
Alliance, an association of information security users from sectors such as banking, 
insurance, and manufacturing, and the Information Technology Association of Amer- 
ica, a trade association of the information technology industry, have all also publicly 
recommended increased federal funding for cyber security research and develop- 
ment. 

5. Brief Overview 

• Critical infrastructure^ sectors include electric power generation and trans- 
mission, oil and gas production and distribution, communications, chemicals, 
food production, banking and finance, transportation systems, and water proc- 
essing systems. These sectors are increasingly dependent on information sys- 
tems to administer business operations (such as billing and supply chain 
management) and to monitor and control physical operations (such as manu- 
facturing processes and distribution systems). 

• As reliance on information technology grows, the number of ways that critical 
infrastructure systems can be interfered with and the extent of disruption or 
damage that can be created via such interference is also growing. In addition, 
the potential impact of a combined physical and cyber attack on a critical fa- 
cility — e.g., using disruption of information systems to interfere with response 
and recovery after an explosion — would be severe. 

• Some cyber security products and techniques (such as firewalls, intrusion de- 
tection systems, and virus-protection checks) can be used to safeguard many 
types of standard information systems (e.g., protecting billing systems and 
customer databases). However, specialized information technology products 
are often used to manage and control critical infrastructure facilities. These 
process control systems often use customized or older hardware and software 
and have different performance requirements and hence may require special- 
ized security solutions and strategies. 

• In May 2005, GAO assessed the DHS role in cyber critical infrastructure pro- 
tection and found that DHS was having trouble with a number of its cyber 
responsibilities, including developing national cyber threat and vulnerability 
assessments and government/industry contingency recovery plans for cyber 
security (including a plan for recovering key Internet functions), establishing 
effective partnerships with stakeholders, and achieving two-way information 
sharing with these stakeholders. 

• In response to stakeholder and Congressional concerns that DHS needed to 
make information security, particularly information security for critical infra- 
structure sectors, a higher priority, the Secretary of Homeland Security an- 
nounced in July 2005 that the Department would create a new position of As- 
sistant Secretary for Cyber Security and Telecommunications. This new posi- 
tion will have responsibility for identifying and assessing the vulnerability of 
critical telecommunications infrastructure and assets, providing timely and 
usable threat information, and leading the national response to cyber and 
telecommunications attacks. 

• In information technology systems, new vulnerabilities and new threats 
emerge regularly and spread quickly. Cyber security research programs sup- 
ported by the Federal Government and the private sector develop tools that 
provide security in the current environment, as well as produce the defenses 
against the next generation of cyber security risks. Following passage of the 
Cyber Security Research and Development Act in 2002, funding for National 
Science Foundation programs in this area has increased; however, at the 
same time the Defense Advanced Research Projects Agency funding for un- 
classified research in cyber security has dropped significantly. Other federal 
cyber security research and development programs exist, particularly at DHS 
and at the National Institute of Standards and Technology, but these are rel- 
atively small. 


2 As defined in the USA PATRIOT Act (P.L. 107—56), criticai infrastructure is “systems and 
assets, whether physicai or virtual, so vital to the United States that the incapacity or destruc- 
tion of such systems and assets would have a debilitating impact on security, national economic 
security, national public health and safety, or any combination of those matters.” This definition 
is used broadly throughout the Federal Government. 
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6. Background 

Critical Infrastructure Sectors and Information Security 

Critical infrastructure, as defined in the USA PATRIOT Act, is “systems and as- 
sets, whether physical or virtual, so vital to the United States that the incapacity 
or destruction of such systems and assets would have a debilitating impact on secu- 
rity, national economic security, national public health and safety, or any combina- 
tion of those matters.” Examples of critical infrastructure include electric power gen- 
eration and transmission, oil and gas production and distribution, communications, 
chemicals, agriculture and food processing, banking and finance, transportation sys- 
tems, and water processing systems. Because of its vital role in the U.S. security, 
economy, and quality of life, the elements of the U.S. critical infrastructure are a 
potential target for terrorists, who could use physical or cyber attacks to interfere 
with, disrupt, damage, or destroy important facilities and capabilities. 

Industry is increasingly dependent on information technology for both business 
operations and process controls, and many of these information systems directly use, 
or are accessible through, public systems (e.g., the Internet) and technologies (e.g., 
Wi-Fi and common operating systems). Yet the Internet was not designed with secu- 
rity in mind. 

Control systems (systems that run manufacturing and distribution facilities) raise 
different security issues than do the business/administrative systems. It is harder 
to shut the control systems down to make changes in software or hardware because 
doing so means shutting down an industrial operation, such as chemical manufac- 
turing or electricity generation. In addition, the control systems operate equipment 
that represents a major capital expense and that is replaced or upgraded less fre- 
quently than are business systems. As a result, security fixes to control systems 
often require retrofitting, rather than just waiting for equipment to be replaced. Fi- 
nally, while business systems (for activities like billing) are relatively similar across 
industries, the control systems generally use specialized protocols and configura- 
tions specific to a particular industry. As a result, customized security solutions and 
strategies, including specialized testing, need to be developed. 

Industry responses to cyber vulnerability has depended on: (1) the type of infor- 
mation systems used in the sector, (2) how clear the risks associated with cyber at- 
tacks are, (3) what the value and return on investment in cyber security would be, 
(4) the availability of relevant cyber security technologies, and (5) (sometimes) what 
governmental action has been taken or is perceived as having the potential to be 
taken. For example, the financial and banking industries were very aggressive in 
adopting information security technologies, due in part to the fact that technologies 
to protect information and communications (the primary need in this area) have 
been a focus of cyber security development efforts for a long time because the extent 
of the vulnerability was very clear. 

In other industries, there are a variety of cyber security-focused activities under- 
way. In the electric power industry, the North American Electric Reliability Council 
(an industry coordination group) recently developed and adopted an interim cyber 
security standard that outlines minimum requirements needed to ensure the secu- 
rity of electronic exchange of information needed to support grid reliability and mar- 
ket operations; work on a permanent standard is underway. In addition. Congress 
has focused attention on cyber security as a key element of ensuring electric reli- 
ability and drinking water safety. The Environmental Protection Agency has worked 
with the industry on understanding how their water processing facilities depend on 
information systems and what risks that creates. 

The chemical sector has developed a Chemical Sector Cyber Security Program, 
which is building on existing cooperative industry groups to carry out cyber secu- 
rity-specific activities. A sector-wide cyber security strategy was organized in 2002, 
and activities currently underway include work on establishing management prac- 
tices, guidelines, and standards, on information sharing, and on encouraging accel- 
erated development of improved security technologies. In addition, the chemical sec- 
tor companies involved with the program support legislation that will establish na- 
tional security guidelines for chemical facilities, require companies to conduct site 
vulnerability assessments and implement security plans, and create strong enforce- 
ment authority to help ensure facilities and systems are secure. 

In addition to specific cyber security activities, all critical infrastructure sectors 
have Information Sharing and Analysis Centers (ISACs), which provide a forum for 
companies to exchange, analyze and disseminate information about vulnerabilities, 
threats, and incidents in a trusted environment. (The establishment of ISACs was 
mainly a response to Presidential Decision Directive 63 (issued in 1998), which en- 
couraged industry to form such groups. Each ISAC has a different structure and re- 
lationship with the government, depending on the specific industry’s needs, history. 
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and regulatory environment.) In general, discussion of cyber security issues are con- 
sidered an important element of ISAC-based interactions, and cross-sector discus- 
sions of cyber security issues are coordinated by the information technology sector’s 
ISAC. 

Department of Homeland Security Cyber Security Activities and Responsibilities 

Cyber security activities at DHS are carried out in two directorates: the National 
Cyber Security Division (NCSD), located in the Information Analysis and Infrastruc- 
ture Protection Directorate, is responsible for operational cyber security; and the 
Science and Technology Directorate is responsible for cyber security research and 
development programs. 

Operational Cyber Security at DHS 

After the recently completed department-wide Second Stage Review, the Secretary 
of Homeland Security has proposed and begun to implement a number of organiza- 
tional changes, including the creation of an Assistant Secretary for Cyber Security 
and Telecommunications position. This office will be responsible for identifying and 
assessing the vulnerability of critical telecommunications infrastructure and assets, 
providing timely and usable threat information, and leading the national response 
to cyber and telecommunications attacks. (To date, the NCSD has reported to the 
existing Assistant Secretary for Infrastructure Protection; going forward, the new 
Assistant Secretary will be parallel to this position.® ) 

The responsibilities of the NCSD are defined by several documents, including the 
National Strategy to Secure Cyberspace, Homeland Security Presidential Directive 
7 (HSPD-7) on Critical Infrastructure Identification, Prioritization, and Protection,^ 
the Interim National Infrastructure Protection Plan, and the National Response 
Plan. In FY06, $73 million was requested for NCSD, a $6 million increase from the 
level appropriated for FY05. The NCSD’s mission, as defined in HSPD-7, includes 
analysis, warning, information sharing, vulnerability reduction, mitigation, and aid- 
ing national recovery efforts for critical infrastructure information systems.® Cur- 
rently, within these broad goals, three areas of particular concern and focus for 
NCSD in the area of critical infrastructure protection are (1) strategies to improve 
the resiliency of the Internet against disruption, (2) improving the security of con- 
trol systems, and (3) improving software assurance (tr3dng to move from patch man- 
agement to systems that emphasize security as software is being developed). 

One of the most important activities of NCSD is coordination with the private sec- 
tor on efforts to reduce vulnerabilities and minimize the severity of cyber attacks. 
Information sharing is necessary to ensure awareness of vulnerabilities, and ways 
to mitigate vulnerabilities, awareness of threats and attack methods, and prepared- 
ness for response and recovery. Companies are expected to be a source of informa- 
tion about what problems they are experiencing and what solutions have been effec- 
tive, while the government (primarily via DHS) is expected to be a source of infor- 
mation about threats. Both government and industry acknowledge that information 
sharing needs to be improved. Industry has been reluctant to share sensitive infor- 
mation incidents. In addition, it has been unclear whether DHS has developed the 
policies or attracted the expertise to ensure the confidentiality of sensitive informa- 
tion and to provide reliable analysis and feedback about threats and potential solu- 
tions. 

A variety of activities are underway in the NCSD to carry out its mission. These 
include the U.S. Computer Emergency Readiness Team (US-CERT), which was es- 
tablished in 2003 as a partnership between DHS and the public and private sectors. 
US-CERT is responsible for analyzing and reducing cyber threats and 
vulnerabilities, disseminating cyber threat warning information, and coordinating 


®The new Assistant Secretary for Cyber Security and Telecommunications will be Presi- 
dentially appointed, but not Senate confirmed. The new position was announced on July 13, 
2005, but as of the date of this hearing an appointment had not yet been made. 

'^Homeland Security Presidential Directive 7 (HSPD— 7) on Critical Infrastructure Identifica- 
tion, Prioritization, and Protection is available on line at http:j I www.whitehouse.gov I news I re- 
leases 12003 / 12 12003121 7-5.html. 

®To meet its responsibilities from HSPD— 7, as well as other national strategies and plans, 
NCSD has defined for itself six core goals: (1) establish a National Cyher Security Response Sys- 
tem to prevent, detect, respond to, and reconstitute rapidly after cyber incidents; (2) work with 
public and private sectors to reduce vulnerabilities and minimize the severity of cyber attacks; 
(3) promote a comprehensive national awareness program to empower American businesses, the 
general workforce, and the general population to secure their own parts of cyberspace; (4) foster 
adequate training and education programs to support the Nation’s cyber security needs; (5) co- 
ordinate with the intelligence and law enforcement communities to identify and reduce threats 
to cyberspace; and (6) build a world-class organization that aggressively advances its cyber secu- 
rity mission and goals in partnership with its public and private stakeholders. 
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incident response activities. Another key NCSD activity is organizing exercises to 
test preparedness and response plans for cyber attack. The next such exercise is 
scheduled for November 2005 and will include public and private sector partici- 
pants, including companies from the energy, financial, and transportation sectors. 

Cyber Security Research and Development at DHS 

Research and development related to cyber security are the responsibility of the 
DHS Science and Technology Directorate. In FY06, $16.7 million was requested for 
the cyber security programs in the Science and Technology Directorate, a $1.3 mil- 
lion decrease from the level appropriated for FY05. Specific programs focus on im- 
proving the security of Internet communication protocols and developing tech- 
nologies to enhance the (wber security of critical infrastructure sectors, including of 
process control systems. Support and coordination is also provided for the collection 
of large-scale data sets about network behavior that researchers can use to better 
understand problems with networks and design potential solutions. Testbeds are 
also a critical element of DHS Science and Technology Directorate cyber security 
programs. They provide support for and participate in the NSF-funded Defense 
Technology Experimental Research (DETER) testbed (described below). They also 
work with the Department of Energy (at Sandia and Idaho National Laboratories) 
to support a control systems testbed, which is critical for design and verification of 
security technologies for control system applications. Since these systems often oper- 
ate with real-time consequences and continuously or almost continuously, any secu- 
rity solution must be designed for the configuration in which the equipment and 
software is used and rigorously tested in realistic situations. 

Cyber Security at Other Government Agencies and Interagency Coordination 

Operational Cyber Security 

Each critical infrastructure sector is associated with a lead government agency. 
For some sectors (e.g., chemicals, transportation systems, information technology 
and telecommunications), the lead agency is DHS, but for many other sectors, an- 
other agency is the lead (e.g., the Department of Energy for the electric power and 
oil and gas sectors, the Environmental Protection Agency for water treatment facili- 
ties, the Department of the Treasury for banking and finance, and the Department 
of Agriculture for the food sector). However, HSPD-7, the 2003 Presidential Direc- 
tive that designated the lead agencies, also clearly articulated that DHS would con- 
tinue to maintain an organization to serve as a focal point for the security of cyber- 
space. For example, DHS, the Department of Defense (DOD), and the Department 
of Justice co-chair the interagency National Cyber Response Coordination Group. In 
addition to coordinating with other agencies on the cyber security of critical infra- 
structure facilities, DHS also works with the Office of Management and Budget, 
which has significant responsibilities for the security of the Federal Government’s 
information systems. 

Cyber Security Research and Development Programs 

Significant cyber security research and development programs are underway in a 
variety of federal agencies, including the National Science Foundation (NSF), the 
National Institute of Standards and Technology (NIST), and the Defense Advanced 
Research Projects Agency (DARPA). The programs at NSF and NIST were author- 
ized by the Cyber Security Research and Development Act (P.L. 107-305). 

At NSF, cyber security research is conducted under the auspices of the Cyber 
Trust program, which supports projects designed to make networked computer sys- 
tems more predictable, more accountable, and less vulnerable to attack and abuse. 
This program is funded at $65 million in FY05, and the projects supported cover 
a wide variety of information security areas. Critical infrastructure applications are 
included; in August 2005, NSF provided funding to a new center at the University 
of Illinois to perform research to support the design, construction and validation of 
a secure cyberinfrastructure for the next-generation electric power grid. (Both the 
Department of Energy and DHS have pledged to collaborate with NSF to fund and 
manage this effort.) Another relevant project is the Cyber Defense Technology Ex- 
perimental Research (DETER) testbed, which provides an experimental environ- 
ment in which government, academic, and industry cyber security researchers can 
safely analyze and measure attacks and develop attack mitigation and confinement 
strategies. (DHS also provides some funding for DETER.) These research and 
testbeds projects also have educational elements, as the laboratories supported by 
those funds become centers of expertise in information systems for critical infra- 
structure and train the personnel that critical infrastructure companies and infor- 
mation technology companies need to improve the security of critical infrastructure 
sector applications. In addition to its cyber security research programs, NSF also 
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supports cyber security education activities, including scholarships and curriculum 
development (these programs received $16 million in FY05). 

At NIST, cyber security activities are centered in the Computer Security Division, 
which was funded at $19 million in FY05. The division’s activities include devel- 
oping standards, metrics, tests, guidelines, and validation programs related to infor- 
mation security and stud 3 dng and raising awareness of information technology risks, 
vulnerabilities, and protection requirements. NIST also has specific responsibilities 
under the Federal Information Security Management Act of 2002 for developing 
standards for federal information systems security and supporting federal agencies’ 
cyber security efforts. An example of a recent NIST cyber security project (supported 
by DHS) is the August 2005 launch of the National Vulnerability Database, which 
contains about 12,000 entries describing vulnerabilities in commonly-used informa- 
tion technology products. (About 10 new entries are added each day.) The database 
integrates all publicly available U.S. Government vulnerability resources and is de- 
signed to provide references to industry resources. 

A number of other agencies, mainly in DOD, have cyber security research and de- 
velopment activities. The DOD activities focus mainly on specific information assur- 
ance requirements related to DOD’s military and intelligence missions. The Depart- 
ment of Energy’s programs are focused primarily on applications related to the en- 
ergy and electric power sectors (as in the work on control systems testbeds at De- 
partment of Energy laboratories described above). 

All of these programs are coordinated through the National Science and Tech- 
nology Council’s (NSTC’s) Interagency Working Group on Critical Information Infra- 
structure Protection Research and Development. In response to recommendations 
from the President’s Information Technology Advisory Committee, this interagency 
group has recently been reformulated to report to both the NSTC Subcommittee on 
Infrastructure and its Subcommittee on Networking and Information Technology 
Research and Development. This group has recently begun work on defining top 
cyber security research and development needs and mapping those needs against 
current federal activities. 

7. Witness Questions 

Questions for Mr. Andy Purdy: 

• How do critical infrastructure sectors depend on public and private informa- 
tion systems? What are the possible consequences for these sectors of disrup- 
tion or attack on their information systems? What steps is DHS taking to 
help these sectors secure their systems? 

• How does DHS work with the critical infrastructure sectors to gather and 
communicate information about threats, risks, and solutions related to cyber 
security? 

• In what areas are current cyber security technical solutions for critical infra- 
structure applications inadequate? Where is further research needed to miti- 
gate existing and emerging threats and vulnerabilities? How is DHS working 
with industry and academic researchers to define priorities for and support 
research in these areas? How does DHS coordinate these efforts within DHS 
and with other federal agencies, such as NSF, NIST, and DARPA? 

Questions for Mr. John Leggate: 

• How does the energy sector depend on public and private information sys- 
tems? What are the possible consequences for the energy sector of disruption 
or attack on its information systems? What steps is BP taking to secure its 
systems? 

• What are the most critical responsibilities of DHS in cyber security for the 
energy sector and what are the most urgent steps the new Assistant Sec- 
retary for Cyber Security and Telecommunications should take? 

• In what areas are current cyber security technical solutions for the energy 
sector inadequate? Where is further research needed to mitigate existing and 
emerging threats and vulnerabilities? How should federal agencies, such as 
DHS, NSF, NIST, and DARPA, and academic researchers work with industry 
to define priorities for and support research in these areas? 

Questions for Mr. David Kepler: 

• How does the chemical sector depend on public and private information sys- 
tems? What are the possible consequences for the chemical sector of disrup- 
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tion or attack on its information systems? What steps is Dow taking to secure 
its systems? 

• What are the most critical responsibilities of DHS in cyber security for the 
chemical sector and what are the most urgent steps the new Assistant Sec- 
retary for Cyber Security and Telecommunications should take? 

• In what areas are current cyber security technical solutions for the chemical 
sector inadequate? Where is further research needed to mitigate existing and 
emerging threats and vulnerabilities? How should federal agencies, such as 
DHS, NSF, NIST, and DARPA, and academic researchers work with industry 
to define priorities for and support research in these areas? 

Questions for Mr. Gerald Freese: 

• How does the electric power sector depend on public and private information 
systems? What are the possible consequences for the electric power sector of 
disruption or attack on its information systems? What steps is American Elec- 
tric Power taking to secure its systems? 

• What are the most critical responsibilities of DHS in cyber security for the 
electric power sector and what are the most urgent steps the new Assistant 
Secretary for Cyber Security and Telecommunications should take? 

• In what areas are current cyber security technical solutions for the electric 
power sector inadequate? Where is further research needed to mitigate exist- 
ing and emerging threats and vulnerabilities? How should federal agencies, 
such as DHS, NSF, NIST, and DARPA, and academic researchers work with 
industry to define priorities for and support research in these areas? 

Questions for Mr. Andrew Geisse: 

• How does the communications sector depend on public and private informa- 
tion systems? What are the possible consequences for the communications sec- 
tor of disruption or attack on its information systems? What steps is SBC tak- 
ing to secure its systems? 

• What are the most critical responsibilities of DHS in cyber security for the 
communications sector and what are the most urgent steps the new Assistant 
Secretary for Cyber Security and Telecommunications should take? 

• In what areas are current cyber security technical solutions for the commu- 
nications sector inadequate? Where is further research needed to mitigate ex- 
isting and emerging threats and vulnerabilities? How should federal agencies, 
such as DHS, NSF, NIST, and DARPA, and academic researchers work with 
industry to define priorities for and support research in these areas? 
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Attachment A 


Critical Infrastructure Protection: Department of Homeland 
Security Faces Challenges in Fulfilling Cyber Security Re- 
sponsibilities 

Government Accountability Office Report GAO-05^34 
http:! / www.gao.gov I new.items I d05434.pdf 

Excerpt: Results in Brief 

As the focal point for critical infrastructure protection, DHS has many cyher secu- 
rity-related roles and responsibilities that are called for in law and policy. These re- 
sponsibilities include developing plans, building partnerships, and improving infor- 
mation sharing, as well as implementing activities related to the five priorities in 
the national cyberspace strategy: (1) developing and enhancing national cyber anal- 
ysis and warning, (2) reducing cyberspace threats and vulnerabilities, (3) promoting 
awareness of and training in security issues, (4) securing governments’ cyberspace, 
and (5) strengthening national security and international cyberspace security co- 
operation. To fulfill its cyber security role, in June 2003, DHS established the Na- 
tional Cyber Security Division to serve as a national focal point for addressing cyber 
security and coordinating the implementation of cyber security efforts. 

While DHS has initiated multiple efforts, it has not fully addressed any of the 
13 key cyber security-related responsibilities that we identified in federal law and 
policy, and it has much work ahead in order to be able to fully address them. For 
example, DHS (1) has recently issued the Interim National Infrastructure Protection 
Plan, which includes cyber security elements; (2) operates the United States Com- 
puter Emergency Readiness Team to address the need for a national analysis and 
warning capability; and (3) has established forums to foster information sharing 
among federal officials with information security responsibilities and among various 
law enforcement entities. However, DHS has not yet developed national threat and 
vulnerability assessments or developed and exercised government and government/ 
industry contingency recovery plans for cyber security, including a plan for recov- 
ering key Internet functions. Further, DHS continues to have difficulties in devel- 
oping partnerships — as called for in federal policy — with other federal agencies. 
State and local governments, and the private sector. 

DHS faces a number of challenges that have impeded its ability to fulfill its cyber 
CIP responsibilities. Key challenges include achieving organizational stability; gain- 
ing organizational authority; overcoming hiring and contracting issues; increasing 
awareness about cyber security roles and capabilities; establishing effective partner- 
ships with stakeholders (other federal agencies. State and local governments, and 
the private sector); achieving two-way information sharing with these stakeholders; 
and demonstrating the value DHS can provide. In its strategic plan for cyber secu- 
rity, DHS has identified steps that can begin to address these challenges. However, 
until it effectively confronts and resolves these underl 3 dng challenges, DHS will 
have difficulty achieving significant results in strengthening the cyber security of 
our nation’s critical infrastructures, and our nation will lack the strong cyber secu- 
rity focal point envisioned in federal law and policy. 

We are making recommendations to the Secretary of Homeland Security to 
strengthen the Department’s ability to implement key cyber security responsibilities 
by completing critical activities and resolving underlying challenges. 

DHS provided written comments on a draft of this report (see app. III). In brief, 
DHS agreed that strengthening cyber security is central to protecting the Nation’s 
critical infrastructures and that much remains to be done. In addition, DHS con- 
curred with our recommendation to engage stakeholders in prioritizing its key cyber 
security responsibilities. However, DHS did not concur with our recommendations 
to identify and prioritize initiatives to address the challenges it faces, or to establish 
performance metrics and milestones for these initiatives. Specifically, DHS reported 
that its strategic plan for cyber security already provides a prioritized list, perform- 
ance measures, and milestones to guide and track its activities. The department 
sought additional clarification of these recommendations. While we agree with DHS 
that its plan identifies activities (along with some performance measures and mile- 
stones) that will begin to address the challenges, this plan does not include specific 
initiatives that would ensure that the challenges are addressed in a prioritized and 
comprehensive manner. For example, the strategic plan for cyber security does not 
include initiatives to help stabilize and build authority for the organization. Fur- 
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ther, the strategic plan does not identify the relative priority of its initiatives and 
does not consistently identify performance measures for completing its initiatives. 

As DHS moves forward in identifying initiatives to address the underlying chal- 
lenges it faces, it will be important to establish performance measures and mile- 
stones for fulfilling these initiatives. 

DHS officials (as well as others who were quoted in our report) also provided de- 
tailed technical corrections, which we have incorporated in this report as appro- 
priate. 
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Chairman BoEHLERT. The Committee will come to order. 

Before we proceed with today’s hearing, the Committee must 
first dispense, very briefly, with some administrative business. 

I recognize Mr. Gordon to offer a request regarding Democratic 
subcommittee membership. 

Mr. Gordon. Thank you, Mr. Chairman. 

By direction of the Democratic caucus of the Science Committee, 
I ask unanimous consent to ratify the election of Representative 
Dennis Moore of Kansas to the Subcommittee on Research, thereby 
filling one of the existing Democratic vacancies. 

Chairman BoEHLERT. Without objection, so ordered. 

That concludes the Committee’s organizational business. 

And we will now proceed with the hearing. 

And incidentally, I can’t imagine any hearing any place on this 
Hill, including what our colleagues in the Senate are doing with 
the Roberts nomination, that exceeds the importance of the topic 
being discussed here today. And I am so appreciative of the wit- 
nesses who have agreed to share with us and enlighten us on a 
very important subject matter. And I want you to know how much 
we welcome your appearance, because you are facilitators. We 
learn from you. We like to think all Members of Congress, we are 
all alike. We like to think we have got all of the answers. We don’t 
even know some of the questions. But I do know this, that cyber 
security is critically important. And what we are about today takes 
us further down the path of dealing in a responsible way with this 
very important subject. 

So I want to welcome everyone to this morning’s hearing on 
cyber security, a subject that has long been the focus of the Science 
Committee. 

The Nation has been making progress in developing ways to fend 
off and respond to cyber attacks. For example, federal agencies 
have been implementing our Cyber Security Research and Develop- 
ment Act, and when I say “our,” I say it proudly. That is the result 
of this committee’s work, albeit at funding levels significantly 
below what we would wish, and quite frankly, what is needed. 

Homeland Security Secretary Michael Chertoff, responding to 
calls from industry and the Congress, has created the position of 
Assistant Secretary for Cyber Security. But as our witnesses today 
will make clear, we still have a very long way to go. We still pay 
inadequate attention to cyber security research operations in both 
the government and private sector. We shouldn’t have to wait for 
the cyber equivalent of Hurricane Katrina to realize that we are in- 
adequately prepared to prevent, detect, and respond to cyber at- 
tacks. And a cyber attack can affect a far larger area at a single 
stroke than can any hurricane. Not only that, given the increasing 
reliance of critical infrastructures on the Internet, a cyber attack 
could result in deaths as well as in massive, massive disruption to 
our economy and daily life. 

There is another lesson we should take from Katrina beyond the 
need to prepare for real dangers that have not been recently expe- 
rienced, and that is not to focus exclusively on terrorism. Cyber at- 
tacks could occur from any number of sources and motivations, 
even from error, not just from foreign or domestic terrorists who 
would do us harm. 
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So our goal this morning is to help develop a cyber security agen- 
da for the Federal Government, especially to provide assistance for 
the new Assistant Secretary. I never want to sit on a special com- 
mittee set up to investigate why we were unprepared for a cyber 
attack. We know we are vulnerable. It is time to act. 

And I look forward to hearing from our witnesses and the guid- 
ance that they might give us to do just that. 

With that, I am pleased to recognize my partner, my colleague, 
my friend, Mr. Gordon from Tennessee. 

[The prepared statement of Chairman Boehlert follows:] 

Prepared Statement of Chairman Sherwood L. Boehlert 

I want to welcome everyone to this morning’s hearing on cyber security, a subject 
that has long been a focus of the Science Committee. 

The Nation has been making progress in developing ways to fend off and respond 
to cyber attacks. For example, federal agencies have been implementing our Cyber 
Security Research and Development Act, albeit at funding levels significantly below 
what we would wish. Homeland Security Secretary Michael Chertoff, responding to 
calls from industry and the Congress, has created the position of Assistant Sec- 
retary for Cyber Security. 

But as our witnesses today will make clear, we still have a very long way to go. 
We still pay inadequate attention to cyber security research and operations in both 
the government and private sector. 

We shouldn’t have to wait for the cyber equivalent of a Hurricane Katrina — or 
even and Hurricane Ophelia might serve — to realize that we are inadequately pre- 
pared to prevent, detect and respond to cyber attacks. 

And a cyber attack can affect a far larger area at a single stroke that can any 
hurricane. Not only that, given the increasing reliance of critical infrastructures on 
the Internet, a cyber attack could result in deaths as well as in massive disruption 
to the economy and daily life. 

There’s another lesson we should take from Katrina beyond the need to prepare 
for real dangers that have not been recently experienced. And that is not to focus 
exclusively on terrorism. Cyber attacks could occur from any number of sources and 
motivations — even from error — not just from foreign or domestic terrorists. 

So our goal this morning is to help develop a cyber security agenda for the Fed- 
eral Government, especially for the new Assistant Secretary. I never want to have 
to sit on a special committee set up to investigate why we were unprepared for a 
cyber attack. We know we are vulnerable, it’s time to act. 

I look forward to hearing our witnesses’ guidance on how to do just that. 

Mr. Gordon. Thank you, Mr. Chairman. 

As usual, I want to concur with your remarks, particularly in 
context to the urgency and the seriousness of this issue. 

Today’s hearing has two important purposes: to assess the 
progress in improving the security of computer systems on which 
critical industries rely, and to explore why progress has been so 
slow. 

Networked information systems are key components of many of 
the Nation’s critical infrastructures, including electrical power dis- 
tribution, banking, finance, water supply, and telecommunications. 

Computer system vulnerabilities persist worldwide, and the 
initiators of random cyber attacks that plague the Internet remain 
largely unknown. 

But we know that many international terrorist groups now ac- 
tively use computers and the Internet to communicate, and they 
are clearly capable of developing or acquiring the technical skills 
to direct a coordinated attack against networked computers in the 
United States. 

The disruptions and economic damages that could result from a 
successful cyber attack to one or more of our critical infrastructures 
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could be substantial. And damage to water supply systems or to 
the chemical processing plants, for example, could also create life- 
threatening consequences. 

Following the events of 9/11, ensuring that security of critical in- 
frastructure has become a national priority, but progress in secur- 
ing the cyber infrastructure has simply been too slow. 

A presidential directive from the Clinton Administration, PDD- 
63, instituted policies and established a new organization to im- 
prove the Nation’s ability to detect and respond to cyber attacks, 
including mechanisms to improve communications between the 
public and the private sectors regarding cyber security matters. 
Subsequently, the new Department of Homeland Security was 
charged to be the government’s focal point for cyber security. 

And yet, in a report released this summer, GAO found that the 
Department of Homeland Security has not yet developed national 
cyber threat and vulnerability assessments or government/industry 
contingencies to recovery plans for cyber security. This is simply 
not good enough. 

Recent events make all too clear that inadequate recovery plans, 
either by design or execution, have dire consequences for the citi- 
zens’ health and well being. Inaction can be an enemy just as le- 
thal as terrorists. 

GAO stressed that to be successful in meeting its responsibilities, 
the Department will need to achieve organizational stability for 
cyber security activities, including the elevation of its function 
within the Department. 

In addition, GAO indicates the Department must work to develop 
effective partnerships with stakeholders, and then achieve two-way 
information sharing with those stakeholders. 

Today, we have an opportunity to hear from some of those stake- 
holders about what is being done within their industry sectors — to 
improve cyber security, where they now stand, and what could be 
done to accelerate progress. 

I am interested in hearing about their relationship to and inter- 
actions with the Department of Homeland Security and in their 
views on how the government can be more effective in achieving 
the overall goal of cyber security for critical infrastructures. 

We need to understand what the fundamental impediments are 
to securing cyberspace and to take appropriate action to overcome 
them. 

And let me just conclude by saying this. As I was reviewing the 
briefing material for this hearing, it is inevitable that you look at 
it in context to Katrina. And some might say, “Well, the financial 
services, you know, if a bank in New Orleans or electrical power 
or a telecommunication outfit has several pipes that burst and they 
are flooded, well, you know, at least an inconvenience, but the pri- 
vate sector will come in and, through competition, will take care of 
those customers.” 

But what if all of the banks, what if all of the power systems go 
out of order? Well, it goes beyond just being a regional concern. It 
becomes a national concern. It means heartache and 
distraughtness for those individuals there, but for the American 
public, it means a big bill. We are spending $200 billion or more 
to clean up the mess from Katrina. 
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You know, I don’t want to see, as the Chairman said, you know, 
I don’t want to be here at a hearing later on saying, “What went 
wrong? And how can we improve this thing?” I mean, the fact of 
the matter is that when the price of gas is stable, you know, no- 
body is really complaining, but when it spikes up and again, this 
is a private sector matter — but when it spikes up, the public says, 
“Where are the bums in Washington? What are you doing?” 

Well, you know, we want to get in front of this. And quite frank- 
ly, after four years of Homeland Security working on this problem, 
we are not where we need to be, and we are not where we should 
be. I hope that this will be an impetus today to change that and 
to move that forward. 

And so with that, Mr. Chairman, I again join you in welcoming 
these witnesses. This is an important hearing, and I look forward 
to moving forward with it. 

[The prepared statement of Mr. Gordon follows:] 

Prepared Statement of Representative Bart Gordon 

Today’s hearing has two important purposes: To assess progress in improving the 
security of computer systems on which critical industries rely and to explore why 
progress has been so slow. 

Networked information systems are key components of many of the Nation’s crit- 
ical infrastructures, including electric power distribution, banking and finance, 
water supply, and telecommunications. 

Computer system vulnerabilities persist worldwide, and the initiators of random 
cyber attacks that plague the Internet remain largely unknown. 

But we know that many international terrorist groups now actively use computers 
and the Internet to communicate, and they are clearly capable of developing or ac- 
quiring the technical skills to direct a coordinated attack against networked com- 
puters in the United States. 

The disruptions and economic damages that could result from a successful cyber 
attack to one or more of our critical infrastructures could be substantial. And dam- 
age to water supply systems or to chemical processing plants, for example, could 
also create life threatening consequences. 

Following the events of 9/11, ensuring the security of critical infrastructures has 
become a national priority, but progress in securing the cyber infrastructure has 
simply been too slow. 

A presidential directive from the Clinton Administration, PDD-63, instituted poli- 
cies and established new organizations to improve the Nation’s ability to detect and 
respond to cyber attacks, including mechanisms to improve communication between 
the public and private sectors regarding cyber security matters. Subsequently, the 
new Department of Homeland Security was charged to be the government’s focal 
point for cyber security. 

And yet, in a report released this summer, GAO found that the Department of 
Homeland Security has not yet developed national cyber threat and vulnerability as- 
sessments or government/industry contingency recovery plans for cyber security. 
This is simply not good enough. 

Recent events make all too clear that inadequate recovery plans, either by design 
or execution, have dire consequences for the health and well being of our citizens. 
Inaction can be an enemy just as lethal as terrorists. 

GAO stresses that to be successful in meeting its responsibilities, the Department 
will need to achieve organizational stability for cyber security activities, including 
an elevation of this function within the Department. 

In addition, GAO indicates the Department must work to develop effective part- 
nerships with stakeholders, and then achieve two-way information sharing with 
these stakeholders. 

Today, we have an opportunity to hear from some of the stakeholders about what 
is being done within their industry sectors to improve cyber security, where they 
now stand, and what could be done to accelerate progress. 

I am interested in hearing about their relationship to and interactions with the 
Department of Homeland Security and in their views on how the government can 
be more effective in achieving the overall goal of cyber security for critical infra- 
structures. 
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We need to understand what the fundamental impediments are to securing cyber 
space and to take appropriate action to overcome them. 

Mr. Chairman, I want to thank you for calling this hearing, and I look forward 
to our discussion with the panel. 

[The prepared statement of Mr. Costello follows:] 

Prepared Statement of Representative Jerry F. Costello 

Good morning. I want to thank the witnesses for appearing before our committee 
to examine the current state of cyber security, how various critical infrastructure 
sectors depend on information systems, and what is and should be done to secure 
these systems. In addition, I am pleased today’s hearing will also explore the respec- 
tive roles of the Federal Government and private sector with respect to cyber secu- 
rity. 

Certain socio-economic activities are vital to the day-to-day functioning and secu- 
rity of the country; for example, transportation of goods and people, communica- 
tions, banking and finance, and the supply and distribution of electricity and water. 
Domestic security and our ability to monitor, deter, and respond to outside acts also 
depend on some of these activities as well as other more specialized activities like 
intelligence gathering and command and control of police and military forces. A seri- 
ous disruption in these activities and capabilities could have a major impact on the 
country’s well-being. 

Even before the terrorist attacks of September 2001, concerns had been rising 
among security experts about the vulnerabilities to attack of computer systems and 
associated infrastructure. Yet, despite increasing attention from Federal and State 
governments and international organizations, the defense against attacks on these 
systems has appeared to be generally fragmented and varying widely in effective- 
ness. Concerns have grown that what is needed is a national cyber security frame- 
work — a coordinated, coherent set of public- and private-sector efforts required to 
ensure an acceptable level of cyber security for the Nation. 

While industry and the Federal Government have increased their focus on cyber 
security in recent years, vulnerabilities remain, despite passage of the Cyber Secu- 
rity Research and Development Act. The bill authorized $903 million over five years 
for new federal programs to ensure that the U.S. is better prepared to prevent and 
combat terrorist attacks on private and government computers. The legislation was 
developed following a series of post-September 11, 2001 Science Committee hearings 
on the emerging cyber terrorist threat and the lack of a coordinated U.S. response. 
Despite this legislative and programmatic initiative, our computer and communica- 
tions networks, upon which the country’s economic and critical infrastructures for 
finance, transportation, energy and water distribution, and health and emergency 
services depend, are still among the Nation’s vulnerabilities. 

Valid concerns remain that the U.S. is still not appropriately organized and pre- 
pared to counter and respond to cyber security. Multiple federal agencies, as well 
as institutions of higher education and the private sector, have critical roles to play; 
yet, no enactment of or planning for the National Strategy has occurred and coordi- 
nation is was lacking among agencies as they developed their research and develop- 
ment budget requests for FY 2006. The absence of a clear advocate for cyber secu- 
rity at the Department of Homeland Security, coupled with the multiple senior DHS 
cyber security officials leaving the department sends a clear signal to Congress that 
the National Cyber Security Division does not have enough authority to work effec- 
tively with the private sector. I am aware that legislation has been proposed to ele- 
vate the head of the cyber security office to the assistant secretary level to give 
cyber security more visibility within DHS and to allow higher level input to national 
policy decisions, and consider this a positive step in the right direction. 

I again thank the witnesses for being with us today and providing testimony to 
our committee. 

[The prepared statement of Ms. Johnson follows:] 

Prepared Statement of Representative Eddie Bernice Johnson 

Mr. Chairman and Ranking Member, I am pleased that the Science Committee 
is discussing our nation’s cyber security today. 

I appreciate each ^est being here today. You all are uniquely qualified to speak 
about how well our infrastructure and policies are set up to handle disruptions or 
attacks on critical information systems. 

Every year, the world relies more heavily on information technology. We view our 
banking accounts over the Internet, we apply for loans on-line, we even pay our bills 
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on-line. We manage our prescriptions on-line, and there’s not much today we DON’T 
do on-line. 

We hear of small- and large-scale breaches in the security of our on-line informa- 
tion. One situation that comes to mind is of a large bank that had to contact all 
of its members because sensitive financial information had become insecure. 

Congress needs to exert leadership in the area of cyber security. Our current sys- 
tem contains a patchwork of programs that represents neither an efficient nor effec- 
tive coordinated federal effort. 

I am interested to hear from today’s witnesses how we can improve our current 
efforts in this critical area. 

Thank you, Mr. Chairman. I yield back and reserve the balance of my time. 

[The prepared statement of Mr. Carnahan follows:] 

Prepared Statement of Representative Russ Carnahan 

Mr. Chairman and Mr. Ranking Member, thank you for hosting this hearing. Mr. 
Purdy, Mr. Leggate, Mr. Freese, Mr. Kepler, and Mr. Geisse, thank you for joining 
us today to discuss the future cyber security of our nation. I am very interested in 
how we can improve this critical infrastructure and our nation’s security. 

In May 2005, the GAO released a report entitled “Critical Infrastructure Protec- 
tion: Challenges in Addressing Cyber Security.” I hope that you will touch on some 
of the issues raised in this report and suggest potential options to ensure the secu- 
rity of our cyber infrastructure. Information sharing lapses between the public and 
private sectors is one of the most critical areas raised by the GAO study. It is my 
hope that today’s hearing will help us understand opportunities for improvement. 

We are pleased to have you with us and I look forward to hearing your testimony. 

Chairman BOEHLERT. Thank you very much, Mr. Gordon, for 
those very well thought out and well reasoned arguments. 

Once again, as so frequently occurs on this committee, there is 
not strong disagreement. There is strength in the compatibility of 
our views as we go forward on a very important subject. 

Part of the problem is over at the Roberts hearing there are 
probably 200 press people. You know how this announcement of a 
hearing on cyber security is greeted outside the Committee room? 
With a muffled yawn, “Oh, what is cyber security?” This is a very 
important topic. 

So let me, once again, express to all of you my deep and personal 
appreciation for your willingness to be guides for those of us sitting 
on this side of the witness table. 

And Mr. Purdy, please relay to the Secretary our appreciation for 
the fact that he has announced the creation of the Assistant Sec- 
retary for Cyber Security position. I would hope that would be 
filled in a timely manner. I know attention is diverted in this crit- 
ical period, in the aftermath of Katrina. All of the resources of the 
Federal Government, on the domestic side, are focused on that, un- 
derstandably so. But that soon will be over. We are on the way to 
recovery and rebuilding one of the most important areas of the 
country. 

Now we have got to get on with the job of cyber security. And 
I will say to my friends down in the Administration, particularly 
those who have the heavy responsibility of working for 0MB, the 
Office of Management and Budget, that I would remind them that 
we passed the Cyber Security Research and Development Act in 
2002. It wasn’t yesterday. It wasn’t last month. It wasn’t last year. 
It was 2002. 

But unfortunately, we don’t control the purse strings. So we can 
determine the seriousness of the problem. We can provide direction 
in authorizing funds to address the problem in a comprehensive 
and meaningful way, but we don’t control the purse strings. The 
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appropriators, our colleagues on the Appropriations Committee, do. 
The people developing the budget, the people at 0MB, do. And they 
better get a message from this hearing: this is a priority subject 
and it better get the priority attention it deserves, including within 
DHS and within the entire Executive Branch and the Legislative 
Branch of government. 

Now with that, let me introduce our panel of very distinguished 
witnesses: Mr. Donald Purdy, Acting Director, National Cyber Se- 
curity Division, the Department of Homeland Security; Mr. John 
Leggate, Chief Information Officer and Group Vice President, Dig- 
ital & Communications Technology, BP; Mr. David Kepler, Cor- 
porate Vice President of Shared Services and Chief Information Of- 
ficer, the Dow Chemical Company; Mr. Gerald Freese, Director of 
Enterprise Information Security, American Electric Power. 

And for the purpose of an introduction, the Chair is pleased to 
recognize Mr. Akin. 

Mr. Akin. Thank you, Mr. Chairman. 

And I really appreciate this opportunity to introduce a native son 
of the Show Me State, Andy Geisse, the Chief Information Officer 
of SBC. Andy grew up in my hometown in St. Louis, earned a 
Bachelor’s degree in economics and mathematics from the Univer- 
sity of Missouri, Columbia, and an MBA from Washington Univer- 
sity also in St. Louis. 

And he has had a long and illustrious career with SBC Commu- 
nications, starting back in 1979 where he began as Assistant Man- 
ager in the comptroller’s department of SBC’s predecessor corpora- 
tion, Southwestern Bell. He then held a variety of information tech- 
nology, sales, and strategic marketing positions, including serving 
as the Director for Wireless Product Development for Southwestern 
Bell Mobile Systems, and Vice President and General Manager for 
Southwestern Bell Mobile Systems’ Oklahoma and West Texas re- 
gions. 

In 1995, he moved to Santiago, Chile, and served as Vice Presi- 
dent and Chief Executive Officer of VTR Cellular. He later became 
President of the Board of STARTED Communications, the first na- 
tionwide cellular company in Chile. SBC has interests in both com- 
panies. 

In January of 1998, Andy moved to New York as President and 
General Manager of SBC’s Cellular One upstate New York sub- 
sidiary. Later, he moved and became Vice President of Enterprise 
and OSS Systems for SBC and its subsidiaries located in Cali- 
fornia. In October of 1999, Andy was appointed Senior Vice Presi- 
dent, Enterprise Software Solutions, responsible for cooperate-wide 
software solutions where he relocated again to San Antonio, Texas. 
And boy, the mileage is piling up here, Andy. 

SBC Communications is an important and valued corporate cit- 
izen of St. Louis and Missouri. It has been a distinct pleasure 
working with the fine employees of SBC to ensure the citizens of 
my District receive excellent telecommunications services. 

On behalf of Chairman Boehlert and other Members of this fine 
committee, welcome to Congress, Andy. Thank you. 

Chairman Boehlert. Wow. That is quite an introduction. You 
know what I learned from that? It is an experience in upstate New 
York that makes you a very valued member for this panel. 
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Mr. Akin. He has got something for everybody, Mr. Chairman. 

Chairman BOEHLERT. Thank you very much, Mr. Akin. 

And I ask unanimous consent that our colleague, Mr. Sessions of 
Texas, be permitted to sit in on this hearing. He is a very valuable 
Member of the entire Congress and one who is deeply and person- 
ally interested in the matter before the Committee. Mr. Sessions, 
do you have anything you would care to say? 

Mr. Sessions. Mr. Chairman, thank you so much. It is good to 
be back over here. I have been gone from the Science Committee 
now for seven years. 

Mr. Chairman, one might assume, after Mr. Akin and myself, 
that it is an Andy Geisse Day in Congress, but I wanted to take 
just a moment. He has been properly introduced by the gentleman 
from Missouri. Mr. Geisse and I have known each other for 22 
years, during which time I have known Andy and his family. Dur- 
ing the service that I spent some two years as Vice Chairman of 
the Cyberscience Research and Development Subcommittee for 
Homeland Security, I counted on Andy to provide information to 
me, background information that would help me to better serve not 
only this nation, but also that committee. And I am very happy 
that SBC has chosen to send Mr. Geisse up here. He is a dear 
friend, and I think he will add a lot to today’s hearing. 

And I want to thank you for allowing me to sit with you and the 
Members of this committee. 

I yield back the time. 

Chairman BoEHLERT. Thank you very much, Mr. Sessions. I do 
appreciate it. 

Now to our witnesses. And the rule here is essentially the same 
as in most Committees. We ask that you try to summarize your 
opening statement in five minutes or thereabouts. And I am usu- 
ally offended when I make that announcement, because we have 
very distinguished witnesses who have so much to offer and to ask 
them to capsulize their thinking in 300 seconds or less is sort of 
unrealistic. And so the Chair is not going to be arbitrary. You are 
the only — part of the only panel we will have before us today, and 
you all have so much value to add to our knowledge base. So I 
would ask that you be guided by the lights, not directed by the 
lights. 

With that, Mr. Purdy, you are first up. 

STATEMENT OF MR. DONALD “ANDY” PURDY, JR., ACTING DI- 
RECTOR, NATIONAL CYBER SECURITY DIVISION, DEPART- 
MENT OF HOMELAND SECURITY 

Mr. Purdy. Good morning. Chairman Boehlert and distinguished 
Members of the Committee. My name is Andy Purdy. I am the Act- 
ing Director of the Department of Homeland Security’s National 
Cyber Security Division. 

I am delighted to appear before you to share the work of NCSD 
and those with whom we are partnering to secure our national 
cyberspace and critical infrastructure. 

Pursuant to President Bush’s Homeland Security Presidential 
Directive 7 (HSPD-7), our Infrastructure Protection Office devel- 
oped the National Infrastructure Protection Plan (NIPP) to serve as 
a guide for addressing critical infrastructure and key resource pro- 
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tection. It sets forth a risk management framework for public and 
private sector stakeholders to work together to identify, prioritize, 
and conduct vulnerability assessments of critical assets and key re- 
sources in each sector. It also includes the identification of inter- 
dependencies of critical assets and key resources both within and 
across sectors as well as providing priority protective measures 
that owners and operators of such assets should undertake to se- 
cure them. 

DHS recognizes that more than 85 percent of the critical infra- 
structure is owned by the private sector and that the development 
and enhancement of public-private partnership is paramount to se- 
curing our nation’s assets. 

As such, private sector-led sector coordinating councils are being 
established to work with their appropriate sector-specific agency 
via the government coordinating councils, which represent the gov- 
ernment agencies that have a role in protecting their respective 
sectors. 

Our Division was created in response to President Bush’s Na- 
tional Strategy to Secure Cyberspace as a national focal point for 
cyber security. Given today’s interconnected environment and the 
Department’s integrated risk-based approach to critical infrastruc- 
ture protection, our mission is to work collaboratively with public, 
private, and international entities to secure cyberspace and Amer- 
ica’s cyber assets. To meet that mission, we developed a strategic 
plan that is closely aligned with the Strategy, HSPD-7, the Na- 
tional Infrastructure Protection Plan, and the Cyber Annex to the 
National Response Plan. 

To carry out our mission and related responsibilities, we have 
identified two overarching priorities: to build an effective National 
Cyberspace Response System, and implement a cyber risk manage- 
ment program for critical infrastructure protection. 

A core component of our first priority is the US-CERT Oper- 
ations Center that is a partnership between the Department and 
the public and private sectors to address cyber security issues. It 
provides a national coordination center that links public and pri- 
vate response capabilities to facilitate information sharing and co- 
ordinated response to help maintain the continuity of our nation’s 
cyber infrastructure. 

We worked with the Department of Defense and the Department 
of Justice to form the National Cyber Response Coordination Group 
that is the principle interagency mechanism to prepare for and re- 
spond to cyber incidents of national significance that was formal- 
ized in the Cyber Annex to the National Response Plan. 

An important element of our response system is our ability to ad- 
dress the global nature of cyberspace. Implementation of our inter- 
national cyber security strategy and its related outreach and col- 
laboration objectives is well underway. Such international coopera- 
tion contributes to our overall global situation awareness and inci- 
dent response capabilities in an area in which information moves 
at Internet speeds and traditional borders do not apply. 

To advance the second priority of cyber risk management, we 
have incorporated a risk management approach aligned with the 
interim NIPP into its effort to better assess the threat and reduce 
the risk to our national cyberspace. Risk management includes risk 
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assessment based on threat, vulnerabilities, and consequences as 
well as efforts to reduce the risk by addressing vulnerabilities be- 
fore an attack occurs and mitigating and managing the con- 
sequences of a cyber attack that does occur. 

Regarding reducing risk, our sector-specific responsibilities with- 
in the Department, among others, including the information tech- 
nology sector, which we are the lead for, and the telecommuni- 
cations sector, which our partner agency, the National Communica- 
tions System, is responsible for. 

The NIPP also includes a cross-sector cyber responsibility for us. 

In addition to our specific responsibilities, there are three major 
components of our risk mitigation approach. 

First, we have established the Internet Disruption Working 
Group with the National Communications System to address the 
resiliency and recovery of Internet functions in the case of a major 
cyber incident. The Department of Treasury and the Department 
of Defense are also engaged, and the working group is acting to ex- 
tend the partnership to representatives in the private sector as 
well as international stakeholders. 

Next, the interdependency between physical and cyber infra- 
structures is hardly more acute than in the use of control systems 
as integral operating components of many of our critical infrastruc- 
tures. 

Interestingly, these control systems are implemented with re- 
mote access, open connectivity, and connections to open networks, 
such as corporate intranets and the Internet. These make critical 
infrastructure assets more automated, more productive, more effi- 
cient, more innovative, but they also may expose many of those 
physical assets to physical consequences from cyber-related threats. 

The third major component of our effort is the Software Assur- 
ance Program. Defects in software can be exploited to launch crit- 
ical cyber attacks, and we have developed a comprehensive soft- 
ware assurance framework that addresses people, process, tech- 
nology, and acquisition through the software development process. 

I hope we have the opportunity in the questions to discuss our 
cyber R&D agenda and our relationship with the Science and Tech- 
nology Director to fund those. We are committed to achieving suc- 
cess in our goals and objectives, but we cannot do it alone. We will 
continue to work with government and the private sector to lever- 
age the efforts of all so we, as a Nation, are more secure in cyber- 
space and in our critical infrastructures. 

Again, thank you for the opportunity to testify before you today, 
and I look forward to your questions. 

[The prepared statement of Mr. Purdy follows:] 

Prepared Statement of Donald (Andy) Purdy, Jr. 

Good morning Chairman Boehlert and distinguished Members of the Committee. 
My name is Andy Purdy, and I am the Acting Director of the Department of Home- 
land Security’s National Cyher Security Division (NCSD). I am delighted to appear 
before you today to share with you the work of the NCSD and those with whom 
we are partnering to secure our national cyberspace and critical infrastructure. In 
my testimony today, I will provide an overview of NCSD, our operating mandates, 
our mission and goals, our priorities, and the programs in which we are engaged 
to meet those missions and goals. 
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DHS and Critical Infrastructure Protection 

Over the course of the past several months Secretary Chertoff conducted a sys- 
tematic evaluation of the Department’s operations. On July 13th, Secretary Chertoff 
announced his six point agenda for the path ahead for the Department. As part of 
this agenda, the Secretary announced several Departmental organizational changes. 
Among these was the creation of a new Preparedness Directorate which would 
house a newly created office of the Assistant Secretary for Cyber Security and Tele- 
communications. Currently, cyber security is addressed by the NCSD, one of four 
divisions in the Office of Infrastructure Protection (IP), located within the Informa- 
tion Analysis and Infrastructure Protection Directorate. 

In December 2003, President Bush issued Homeland Security Presidential Direc- 
tive 7: Critical Infrastructure Identification, Prioritization, and Protection (HSPD- 
7), which established a national policy for federal departments and agencies to iden- 
tify and prioritize United States critical infrastructure and key resources and to pro- 
tect them from terrorist attacks. Among other things, HSPD-7 identified 17^ critical 
infrastructure and key resource sectors and assigned responsibility for each to a 
Sector Specific Agency (SSA), with DHS serving as the overall program coordinator. 

Additionally, HSPD-7 set forth how DHS should address critical infrastructure 
protection, including “summary of activities to be undertaken in order to: define and 
prioritize, reduce the vulnerability of, and coordinate the protection of critical infra- 
structure and key resources.”^ 

To meet this mandate, IP developed the National Infrastructure Protection Plan 
(NIPP), a plan that is to serve as the guide for addressing critical infrastructure and 
key resource protection. It sets forth a risk management framework for public and 
private sector stakeholders to work together to identify, prioritize, and conduct vul- 
nerability assessments of critical assets and key resources in each sector. It also in- 
cludes the identification of interdependencies of critical assets and key resources 
both within and across the sectors, as well as providing priority protective measures 
that owners and operators of such assets should undertake to secure them. Recog- 
nizing that more that 85 percent of the critical infrastructure is owned and operated 
by the private sector and that the development of public-private partnership is para- 
mount to securing our nation’s assets, private sector-led Sector Coordinating Coun- 
cils (SCCs) are being established to work with their appropriate SSA via Govern- 
ment Coordinating Councils, which represent the government agencies that have a 
role in protecting the respective sectors. 

Currently, the office of Infrastructure Protection is finalizing the NIPP and it is 
expected to be released later this year. This finalized document will refine the pub- 
lic-private partnership model and a process for protecting our critical infrastructures 
from physical or cyber attack or natural disasters. 

DHS and Cyber Security 

In June 2003, in response to the President’s National Strategy to Secure Cyber- 
space and HSPE)-7, the Department of Homeland Security created the NCSD as a 
national focal point for cyher security. The national strategy established the fol- 
lowing five national priorities for securing cyberspace: 


Priority I: 
Priority II: 

Priority III: 

Priority IV: 
Priority V : 


A National Cyberspace Security Response System 
A National Cyberspace Security Threat and Vulnerability Re- 
duction Program 

A National Cyberspace Security Awareness and Training Pro- 
gram 

Securing Government’s Cyberspace 

National Security and International Cyberspace Security Co- 
operation 


iThe NIPP identifies the following Critical Infrastructure Sectors and Key Resources: Food 
and Agriculture; Public Health and Health Care; Drinking Water and Wastewater; Energy; 
Banking and Finance; National Monuments and Icons; Defense Industrial Base; Information 
Technology; Telecommunications; Chemical; Transportation Systems; Emergency Services; Post- 
al and Shipping; Dams; Government Facilities; Commercial Facilities; Nuclear Reactors, Mate- 
rials, and Waste. 

2 Homeland Security Presidential Directive 7, December 17, 2003; http:! ! 

www.whitehouse.gov / news / releases /2003 / 12 / 2003121 7-5.html. 
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Given today’s interconnected environment and DHS’s integrated risk-based ap- 
proach to critical infrastructure protection, NCSD’s mission is to work collabo- 
ratively with public, private, and international entities to secure cyberspace and 
America’s cyber assets. To meet that mission, NCSD developed a Strategic Plan that 
establishes a set of goals with specific objectives for each goal, and milestones asso- 
ciated with each objective. The Strategic Plan goals, which are closely aligned with 
the Strategy, HSPD-7, the NIPP, and the Cyber Annex to the National Response 
Plan, are as follows: 

1. Establish a National Cyberspace Response System to prevent, detect, re- 
spond to, and reconstitute rapidly after cyber incidents; 

2. Work with public and private sector representatives to reduce vulnerabilities 
and minimize severity of cyber attacks; 

3. Promote a comprehensive awareness plan to empower all Americans to se- 
cure their own parts of cyberspace; 

4. Foster adequate training and education programs to support the Nation’s 
cyber security needs; 

5. Coordinate with the intelligence and law enforcement communities to iden- 
tify and reduce threats to cyberspace; and 

6. Build a world class organization that aggressively advances its cyber security 
mission and goals in partnership with its public and private stakeholders. 

To meet these goals, NCSD is organized into four operating branches to address 
the various aspects of the risk management structure: (1) U.S. Computer Emergency 
Readiness Team (US-CERT) Operations to manage the 24-7 threat watch, warning, 
and response capability that can identify emerging threats and vulnerabilities and 
coordinate responses to major cyber incidents; (2) Strategic Initiatives Branch to 
manage activities to advance cyber security in critical infrastructure protection, con- 
trol systems security, software development, training and education, exercises, and 
standards and best practices; (3) Outreach and Awareness Branch to manage out- 
reach, cyber security awareness, and partnership efforts to disseminate information 
to key constituencies and build collaborative actions with key stakeholders; and (4) 
Law Enforcement and Intelligence Branch to coordinate and share information be- 
tween these communities and NCSD’s other constituents in the private sector, pub- 
lic sector, academia, and others, and also to coordinate interagency response and 
mitigation of cyber security incidents. Together, these branches make up NCSD’s 
framework to address the cyber security challenges across our key stakeholder 
groups and build communications, collaboration, and awareness to further our col- 
lective capabilities to detect, recognize, attribute, respond to, mitigate, and reconsti- 
tute after cyber attacks. 

Cyber Security Priorities: Response and Risk Management 

The Strategy, HSPD-7, and the NIPP provide NCSD with a clear operating mis- 
sion and national coordination responsibility. To carry out this mission and its re- 
lated responsibilities, NCSD has identified two overarching priorities: to build an ef- 
fective national cyberspace response system and to implement a cyber risk manage- 
ment program for critical infrastructure protection. Our focus on these two priorities 
and related programs addresses the overarching NIPP Risk Management method- 
ology and establishes the framework for securing cyberspace today and a foundation 
for addressing cyber security for the future. 

Priority 1 — Cyber Incident Management: A National Cyberspace Response System 

A core component of NCSD and our effort to establish a National Cyberspace Re- 
sponse System is the US-CERT Operations Center. US-CERT was established in 
September 2003 as a partnership between DHS and the public and private sectors 
to address cyber security issues. Building upon an initial partnership with the Com- 
puter Emergency Response Team Coordination Center (CERT/CC) in Carnegie Mel- 
lon University’s Software Engineering Institute, US-CERT now provides a national 
coordination center that links public and private response capabilities to facilitate 
information sharing across all infrastructure sectors and to help protect and main- 
tain the continuity of our nation’s cyber infrastructure. The overarching approach 
to this task is to facilitate and implement systemic global and domestic coordination 
of deterrence from, preparation for, defense against, response to, and recovery from 
cyber incidents and attacks across the United States, as well as from the cyber con- 
sequences of physical attacks or natural disasters. 

US-CERT has four major programs of activity. First, US-CERT is DHS’s 24-7- 
365 cyber watch, warning, and incident response center, and it provides coordinated 
response to cyber incidents, a web portal for secure communications with private 
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and public sector stakeholders, including critical infrastructure owners and opera- 
tors, a daily report, a public website (http: I lwww.us-cert.gov/), and a National 
Cyber Alert System, which provides timely, actionable information to the public on 
both technical and non-technical bases. Second, US-CERT conducts malicious code 
analysis, provides malware technical support, and conducts cyber threat and vulner- 
ability analysis. Third, US-CERT manages a situational awareness program and an 
Internet Health and Status service used by 50 government agency computer secu- 
rity incident response teams. Fourth, US-CERT manages programs for communica- 
tion and collaboration among public agencies and key network defense service pro- 
viders. In line with NCSD’s close working relationship with NCS, US-CERT works 
closely with the National Coordinating Center for Telecommunications (NCC) to ad- 
dress and mitigate cyber threats including response and recovery. US-CERT also 
maintains a presence in the HSOC to ensure coordination throughout DHS. 

As noted, NCSD has initiated a number of activities specifically to assist federal 
agencies in protecting their cyber infrastructure. NCSD established the Government 
Forum of Incident Response and Security Teams (GFIRST) to facilitate interagency 
information sharing and cooperation across federal agencies for readiness and re- 
sponse efforts. GFIRST is a group of technical and tactical practitioners of security 
response teams responsible for securing government information technology sys- 
tems. The members work together to understand and handle computer security inci- 
dents and to encourage proactive and preventative security practices. The purpose 
of the GFIRST is to: 

• Provide members with technical information, tools, methods, assistance, and 
guidance; 

• Coordinate proactive liaison activities and analytical support; 

• Further the development of quality products and services for the Federal Gov- 
ernment; 

• Share specific technical details regarding incidents within a trusted U.S. Gov- 
ernment environment on a peer-to-peer basis; and 

• Improve incident response operations. 

GFIRST meets on a regular basis and held its first annual conference in April 
2005 with more than 200 participants from Federal, State, and local governments. 
The conference was a major success for US-CERT, and GFIRST has established fur- 
ther lines of communications across organizations. The technical workshops and 
speakers stimulated many technical interchanges regarding cyber first responder ac- 
tivities. In another step forward, GFIRST held its first classified threat briefing 
with DHS Office of Information Analysis (LA), the Central Intelligence Agency, De- 
partment of Defense, and National Security Agency in June 2005. 

US-CERT utilizes a secure collaboration platform, the US-CERT Portal, to sup- 
port cyber information sharing and collaboration among the GFIRST community, 
and other cyber and critical infrastructure communities, such as the ISACs. The 
US-CERT Portal is being integrated into the Homeland Security Information Net- 
work (HSIN) and bridges the gap between the Government Coordinating Councils, 
the Sector Coordinating Councils, ISACs, and other private critical infrastructure 
information-sharing entities. 

In addition to GFIRST, NCSD worked with the Department of Defense (DOD) and 
the Department of Justice (DOJ) to form the National Cyber Response Coordination 
Group (NCRCG) to provide a Federal Government approach to coordinated cyber in- 
cident response. NCSD created a Cyber Annex to the recently issued National Re- 
sponse Plan (NRP)3 that provides a framework for responding to cyber incidents of 
national significance. As such, the Cyber Annex formalized the NCRCG as the prin- 
cipal federal interagency mechanism to coordinate preparation for, and response to, 
cyber incidents of national significance. The co-chairs of the NCRCG are DHS/ 
NCSD, DOJ, and DOD. An additional 13 federal agencies with a statutory responsi- 
bility for and/or specific capability toward cyber security, including the intelligence 
community, comprise the membership. NCSD serves as the Executive Agent and 
point of contact for the NCRCG. The NCRCG has developed a concept of operations 
(CONORS) for national cyber incident response that will be examined in the Na- 
tional Cyber Exercise, Cyber Storm, to be conducted by NCSD in November 2005, 
with public and private sector stakeholders. 

The NCRCG is also reviewing capabilities of federal agencies from a cyber defense 
perspective to better leverage and coordinate the preparation for and response to 
significant cyber incidents. This effort will entail the following components: 


http:! / www.dhs.gov / dhspublic / display?theme=15&content=4269 
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• Mapping the current capabilities of government agencies related to cyber de- 
fense relative to detection and recognition of cyber activity of concern, attribu- 
tion, response and mitigation, and reconstitution; 

• Identifying capabilities within the government that US-CERT should lever- 
age to maximize interagency coordination of cyber defense capabilities; 

• Performing a gap analysis to identify the surge capabilities for possible lever- 
age by, or collaboration with, the US-CERT for cyber defense issues in order 
to detect potentially damaging activity in cyberspace, to analyze exploits and 
warn potential victims, to coordinate incident responses, and to restore essen- 
tial services that have been damaged; and 

• Consider establishing formal resource sharing agreements with the other 
agencies per the cyber defense coordination needs identified through the proc- 
ess identified above. 

An important element of a National Cyberspace Response System is our ability 
to address the global nature of cyberspace. Implementation of NCSD’s international 
cyber security strategy and its related outreach and collaboration objectives is well 
underway, as we participate in bilateral and multilateral outreach efforts and have 
established cooperative programs with key allies and countries of interest. Such 
international cooperation contributes to our overall global situational awareness and 
incident response capabilities in an area in which information moves at Internet 
speed and traditional borders do not apply. 

With our efforts, accomplishments, and on-going programs, NCSD has made sig- 
nificant progress in managing cyber incidents and has taken substantial strides to- 
ward building a National Cyberspace Response System. We know there is more to 
do, and we are enhancing and evolving our readiness and response programs to fur- 
ther our efforts and address this dynamic environment. 

Priority 2 — Cyber Risk Management: Assessing the Threat and Reducing the Risk 

NCSD incorporated a risk management approach aligned with HSPD-7 and the 
resulting interim NIPP into its effort to better assess the threat and reduce the risk 
to our national cyberspace. Risk management includes risk assessment based on 
threat, vulnerabilities, and consequences, as well as efforts to reduce the risk by ad- 
dressing vulnerabilities before an attack occurs, and mitigating and managing the 
consequences of a cyber attack that does occur. The NIPP risk management frame- 
work entails work with the intelligence community, law enforcement, and the pri- 
vate sector to better understand the cyber threat and a collaborative partnership be- 
tween the private sector and Eederal, State, and local governments looking at peo- 
ple, cyber, and physical assets to identify and prioritize those assets, assess 
vulnerabilities, and coordinate the protection of critical infrastructure and key re- 
sources. 

With regard to assessing the threat, NCSD collaborates with the law enforcement 
and the intelligence communities in a number of ways. DHS assisted in the coordi- 
nation of cyber-related issues for the “National Intelligence Estimate (NIE) of Cyber 
Threats to the U.S. Information Infrastructure.” The resulting classified document 
issued in February 2004 details actors (nation states, terrorist groups, organized 
criminal groups, hackers, etc.), capabilities, and intent (where known). In addition, 
NCSD has infused cyber requirements into the Standing Information Needs (SINs) 
and Priority Information Needs (PINs) for the intelligence community and continues 
to collaborate with them through lA to characterize cyber threats for accuracy. Fi- 
nally, the NCRCG includes law enforcement and intelligence agencies and has work- 
ing groups addressing botnets and attribution issues. 

The private sector is also a resource for threat and risk related information, and 
NCSD works with its industry stakeholders to gather and communicate that infor- 
mation. The US-CERT Internet Health Service enables US-CERT to gather infor- 
mation from private sector resources regarding vulnerabilities, network attacks, and 
malicious code activity and provide that information to federal agencies. In addition, 
NCSD has identified preparedness and response as a key area of joint public-private 
effort and is working with the critical infrastructure sectors to identify attack/threat 
scenarios against which proactive protective measures can be taken and response 
plans can be developed. And, DHS utilizes the ISACs and critical sector elements 
of the HSIN to obtain and share cyber security information. 

With regard to reducing the risk, DHS’s SSA responsibilities under the NIPP in- 
clude the Information Technology (IT) Sector and the Telecommunications Sector. 
Specifically, NCSD coordinates the IT Sector, and the National Communications 
System (NCS), another of the divisions in the IP directorate, coordinates the Tele- 
communications Sector. Reflecting the increasing convergence between these two 
communications sectors in today’s market, NCSD and NCS work together closely to 
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coordinate all efforts to protect the Nation’s critical cyber systems and the tele- 
communications transport layer. 

The NIPP includes a cross-sector cyber responsibility for NCSD in addition to its 
IT Sector responsibility. The cross-sector responsibility is the collaborative effort be- 
tween DHS/NCSD and the SSAs to ensure that deployed cyber elements have been 
secured in an appropriate and consistent manner across sectors. NCSD is respon- 
sible for providing cyber guidance to all sectors assisting them in understanding and 
mitigating cyber risk (including cyber infrastructure vulnerabilities) and in devel- 
oping effective and appropriate protective measures. This guidance includes contrib- 
uting cyber elements to the NIPP, reviewing the cyber aspects of the respective Sec- 
tor Specific Plans (SSPs), and delivering cyber Critical Infrastructure Protection 
(CIP) training to SSAs to help them enhance the cyber aspects of their SSPs. 

To implement these two NIPP Cyber elements, NCSD works with the Information 
Technology Information Sharing and Analysis Center (IT-ISAC) and the newly es- 
tablished Information Technology Sector Coordination Council (IT-SCC), as well as 
with the SSAs, ISACs and emerging SCCs in the other sectors. 

In addition to NCSD’s specific NIPP responsibilities, there are three major compo- 
nents to our cyber risk mitigation approach: the Internet Disruption Working Group 
(IDWG), the Control Systems Security Program, and the Software Assurance Pro- 
gram. 

Protection of critical cyber assets goes hand-in-hand with protection of critical 
telecommunications assets; accordingly, NCSD and NCS are working closely to- 
gether to collaborate on issues related to threats, identification of critical cyber as- 
sets, vulnerability and risk assessments, and development of appropriate protective 
measures that could be recommended for implementation by owners/operators. 
Within the NIPP framework, NCSD and NCS established the Internet Disruption 
Working Group (IDWG) in December 2004 to address the resiliency and recovery of 
Internet functions in case of a major cyber incident. The Department of Treasury 
and the Department of Defense are also engaged, and the working group is acting 
to extend the partnership to representatives from the private sector as well as inter- 
national stakeholders. The IDWG reflects the convergence of telecommunications 
and information technology sectors in today’s environment and the emergence of 
Next Generation Networks (NGN) that will compose the Internet of the future. An 
initial focus of the working group is to identify near-term actions related to situa- 
tional awareness, protection, and response that government and its stakeholders 
can take to better prepare for, protect against, and mitigate nationally significant 
Internet disruptions. 

The interdependency between physical and cyber infrastructures is hardly more 
acute than in the use of control systems as integral operating components by many 
of our critical infrastructures. “Control Systems” is a generic term applied to hard- 
ware, firmware, communications, and software used to perform vital monitoring and 
controlling functions of sensitive processes and enable automation of physical sys- 
tems. Specific control systems used in the various critical infrastructure sectors in- 
clude Supervisory Control and Data Acquisition (SCADA) systems. Process Control 
Systems (PCS), and Distributed Control Systems (DCS). 

Examples of the critical infrastructure processes and functions that control sys- 
tems monitor and control include energy transmission and distribution, pipelines, 
water and pumping stations, telecommunications, chemical processing, pharma- 
ceutical production, rail and light rail, manufacturing, and food production. Increas- 
ingly, these control systems are implemented with remote access, open connectivity, 
and connections to open networks such as corporate intranets and the Internet. 
These sophisticated information technology tools are making our critical infrastruc- 
ture assets more automated, more productive, more efficient, and more innovative, 
but they also may expose many of those physical assets to physical consequences 
from new, cyber-related threats and vulnerabilities. 

To assure immediate attention is directed to protect these systems, NCSD estab- 
lished the Control Systems Security Program to coordinate efforts among Federal, 
State, and local governments, as well as control system owners, operators, and ven- 
dors to improve control system security within and across all critical infrastructure 
sectors. As part of this Program, NCSD developed a Control Systems Strategy that 
incorporates five highly integrated goals to address the issues and challenges associ- 
ated with control systems security. As such, our control systems activities support 
NCSD’s overall efforts to address cyber security across critical infrastructure sectors 
over the long-term, as well as the US-CERT’s capability in the management, re- 
sponse, and handling of incidents, vulnerabilities, and mitigation of threat actions 
specific to critical control systems functions. NCSD also recognizes the significant 
attention being paid to PCS and SCADA security by various industry organizations 
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in developing encryption standards, cryptography, modeling, and other tools to im- 
prove cyber security of control systems. 

NCSD also established the US-CERT Control Systems Security Center (CSSC) in 
partnership with Idaho National Laboratory (INL) and other Department of Energy 
National Laboratories'* in June 2004. The CSSC is involving other partners from 
control systems industry associations, universities, control systems vendors, and in- 
dustry experts. Since its establishment, the CSSC has made considerable progress 
and some of its major accomplishments include: 

• Established the US-CERT CSSC assessment and incident response facility lo- 
cated at INL and a US-CERT Support Operations Center for Control Sys- 
tems; 

• Established relationships with more than 25 potential industry partners and 
completed several agreements that established initial assessment, analysis, 
and vulnerability reduction plans within various industry sectors; 

• Created the Critical Infrastructure Cyber Consequence Matrix to determine 
the industries of most concern, and a list of specific sites from the National 
Asset Database where Control Systems could cause a negative consequence 
due to failure or attack; 

• Created a quantitative control systems cyber risk/decision analysis measure- 
ment methodology; and, 

• Established the Process Control System Forum (PCSF) (in partnership with 
DHS’s Science and Technology Directorate) with industry, academia, and gov- 
ernment to accelerate the development of technology that will enhance the se- 
curity, safety, and reliability of Control Systems, including legacy installa- 
tions. 

At the same time that the telecommunications and financial sectors have in- 
creased their dependence on information systems overall for information flows, serv- 
ice provision, and financial transactions, the energy, chemical, nuclear, food and ag- 
riculture, transportation, and water sectors have become increasingly dependent on 
process control systems for their critical operations. To more fully utilize the Matrix 
for analysis on the nature of consequences of attacks on the various sectors for risk 
management purposes, more information is needed about how these various sectors 
are using process control systems and the subsequent interdependencies. 

Future FY05 and FY06 activities for NCSD’s Control Systems Security Program 
include efforts to: 

• Develop a comprehensive set of control systems security assurance levels for 
owners and operators; 

• Sponsor government/industry workshops to increase awareness among control 
systems owners and operators of potential cyber incident impacts and 
vulnerabilities; 

• Develop, populate, and validate control systems security scenario assessment 
tools to provide response teams a web-based application to assess impacts; 

• Assess a minimum of three core systems and provide solutions to 
vulnerabilities and recommendations to protect against cyber threats; and 

• Develop the US-CERT CSSC web page for information exchange. 

The third major component of NCSD’s cyber risk management program is our 
Software Assurance Program. Software is an essential component of the Nation’s 
critical infrastructure (power, water, transportation, financial institutions, defense 
industrial base, etc); however, defects in software can be exploited to launch cyber 
attacks as well as attacks against the critical infrastructure. NCSD developed a 
comprehensive software assurance framework that addresses people, process, tech- 
nology, and acquisition throughout the software development lifecycle. 

As part of the shared responsibility approach to cyber security, DHS is working 
to achieve a broader ability to routinely develop and deploy trustworthy software 
products. As such, DHS is shifting the security paradigm from “patch management” 
to “software assurance” by encouraging U.S. software developers to raise the bar on 
software quality and security. In collaboration with other federal agencies, aca- 
demia, and the private sector, we are: 

• Sponsoring the development of a repository of best practices and practical 
guidance for the software development community; 


'‘Idaho (INL), Pacific Northwest (PNNL), Los Alamos (LAND, Argonne (AND, Sandia (SNL), 
Savannah River (SRNL) 
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• Developing a software assurance common body of knowledge from which to 
develop curriculum for education and training; 

• Examining recommendations from the Networking and Information Tech- 
nology Research and Development (NITRD), Software Design and Produc- 
tivity (SDP), and High Confidence Software and Systems (HCSS) coordination 
groups and anticipating greater direct engagement with them in the future. 

• Facilitating discussions with industry and academic institutions through Soft- 
ware Assurance Forums; 

• Collaborating with NIST to inventory software assurance tools and measure 
effectiveness, identify gaps and conflicts, and develop a plan to eliminate gaps 
and conflicts; 

• Completing the DHS/Department of Defense co-sponsored comprehensive re- 
view of the National Information Assurance Partnership (NIAP)® with the 
draft report to be published in September 2005; and 

• Promoting investment in applicable software assurance research and develop- 
ment. 

DHS will seek to reduce risks by raising the level of trust for all software, mini- 
mizing vulnerabilities and understanding threats. DHS will collaborate with govern- 
ment, industry, academic institutions, and international allies to achieve these soft- 
ware assurance objectives. 

Another important cyber element of national infrastructure protection is the pro- 
liferation of the Internet in our society and daily lives. To mitigate the risks inher- 
ent in the rapidly growing user base and increasing usage, NCSD is engaged in a 
cyber security awareness program that leverages a variety of partners including the 
National Cyber Security Alliance, the Multi-State ISAC, and the Federal Trade 
Commission, among others, to reach out to the home user, K-12, small business, 
and higher education audiences to raise the American public’s awareness of cyber 
risks and security measures. 

Research and Development for Cyber Security and Critical Infrastructure 
Protection 

Cyber-related research and development (R&D) is vital to improving the resiliency 
of the Nation’s critical infrastructures. This difficult strategic challenge requires a 
coordinated and focused effort from across the Federal Government, State and local 
governments, the private sector, and academia to advance the security of critical 
cyber systems. 

A critical area of focus for DHS is the development and deployment of tech- 
nologies to protect the Nation’s cyber infrastructure, including the Internet and 
other critical infrastructures that depend on IT systems for their mission. Two com- 
ponents within DHS share responsibility for cyber R&D, with the Science & Tech- 
nology (S&T) Directorate serving as the primary agent responsible for executing 
cyber security R&D programs. NCSD has responsibility for developing requirements 
for DHS’ cyber security R&D projects. 

The S&T Directorate’s mission is to conduct, stimulate, and enable research, as 
well as to develop, test, evaluate, and transition homeland security capabilities to 
federal, State and local operational end-users. The goals of the DHS S&T Direc- 
torate’s Cyber Security R&D program are to: 

• Perform R&D aimed at improving the security of existing deployed tech- 
nologies and to ensure the security of new emerging systems; 

• Develop new and enhanced technologies for the detection of, prevention of, 
and response to cyber attacks on the Nation’s critical information infrastruc- 
ture; and 

• Facilitate the transfer of these technologies into the national infrastructure 
as a matter of urgency. 

NCSD supports the overall DHS R&D mission by identifying areas for cyber inno- 
vation and coordinating with S&T. NCSD collects, develops, and submits cyber secu- 
rity R&D requirements to provide input to the federal cyber security R&D commu- 


^The National Information Assurance Partnership, established in August of 1997, is a joint 
effort between NIST and NSA to provide technical leadership in security-related information 
technology test methods and assurance techniques. NIAP uses the Common Criteria to evaluate 
and certify commercial off the shelf (COTS) products. There has been much discussion in past 
years on the effectiveness (time and cost) of the NIAP process. As a result, the National Strategy 
to Secure Cyberspace recommended an independent review of the program be conducted to make 
recommendations for its improvement. 
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nity and specifically to inform the DHS S&T Directorate’s cyber security research 
priorities. 

DHS S&T’s Cyber Security Research and Development Center is currently work- 
ing on several projects that support the recommendations of the National Strategy 
to Secure Cyberspace, while addressing the vulnerabilities of critical systems and 
infrastructures. The major areas are: 

• Working with industry to develop secure routing protocols for the core of the 
Internet. 

• Development of a cyber security test bed for researchers and developers. 

• Establishment of a large database of anonymized data collected from the 
Internet to support research on new cyber security tools and techniques. 

• Partnering with the government of Canada on a joint experiment involving 
the handheld BlackBerry data devices for secure communications between 
first responders. 

• Funding research on understanding and countering emerging Internet 
threats. 

• Funding small business innovative research in the development of new cyber 
security products. 

• Coordination with the Institute for Information Infrastructure Protection 
(ISP) on the development of new technologies for securing SCADA systems 
and networks and analyzing the economics of cyber security. 

To support and document cyber security R&D initiatives across the Federal Gov- 
ernment, NCSD participates in the Cyber Security and Information Assurance 
Interagency Working Group (CSIA IWG), co-chaired by S&T and the Office of 
Science and Technology Policy (OSTP). Participants include the National Science 
Foundation (NSF), the Defense Advanced Research Projects Agency (DARPA), the 
National Institute of Standards and Technology (NIST) and many others. By report- 
ing to both the Infrastructure Subcommittee and NITRD, the CSIA IWG is posi- 
tioned to coordinate cyber security and information assurance R&D across agencies, 
while ensuring that the security of critical infrastructures is emphasized. The CSlA 
IWG is currently completing the Federal Cyber Security and Information Assurance 
R&D Plan. 

Moving Forward 

In connection with the National Infrastructure Protection Plan, efforts are under- 
way to assess cyber threats, reduce vulnerabilities and identify significant inter- 
dependencies. These efforts will be fully implemented as the SSAs implement their 
portion of the NIPP. In partnership with NCS and other agencies, we are working 
through the Internet Disruption Working Group to address the resiliency and recov- 
ery of Internet functions in the case of a major cyber incident. We have established 
a Control Systems Security Program to address core operating systems of critical 
infrastructure sectors. And, we are working with the government, private sector, 
and academia to promote the integrity and security of software. We continue to en- 
hance our cyber incident readiness and response system, and we coordinate with our 
private sector stakeholders to provide protective guidance to our stakeholders 
through US-CERT. We are conducting a major exercise later this year to test the 
Cyber Annex to the National Response Plan. Through this effort, we will pull to- 
gether appropriate entities in the Federal Government, State governments, and ap- 
propriate private sector stakeholders to test our capabilities and, subsequently, to 
improve our incident management process. 

We are committed to achieving success in meeting our goals and objectives, but 
we cannot do it alone. We will continue to meet with industry representatives, our 
government counterparts, academia, and State representatives to formulate the 
partnerships needed for productive collaboration and leverage the efforts of all, so 
we, as a nation, are more secure in cyberspace and in our critical infrastructures. 

Again, thank you for the opportunity to testify before you today. I would be happy 
to answer any questions you may have at this time. 

Biography for Donald A. (Andy) Purdy, Jr. 

In October 2004, Donald A. (Andy) Purdy, Jr. was appointed by Secretary Ridge 
as the Acting Director of the National Cyber Security Division (NCSD) for the De- 
partment of Homeland Security, within the Information Analysis and Infrastructure 
Protection (lAIP) Directorate. The lAIP Directorate identifies and assesses a broad 
range of intelligence information concerning threats to the people and communities 
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of the United States and to protect the critical infrastructure systems vital to our 
national security, governance, public health and safety, economy, and national mo- 
rale. 

The NCSD’s mission, in cooperation with public, private, and international enti- 
ties, is to secure cyberspace and America’s cyber assets. The key components of this 
mission involve: (1) implementation of the National Strategy to Secure Cyberspace 
and the DHS Strategic Plan; and (2) implementation of priority protective measures 
to secure cyberspace and to reduce the cyber vulnerabilities of America’s critical in- 
frastructures. 

Prior to joining the Department, Mr. Purdy worked on assignment to the White 
House as Deputy to the Vice Chair and Senior Advisor for IT Security and Privacy 
to the President’s Critical Infrastructure Protection Board (PCIPB) working on the 
development of the National Strategy to Secure Cyberspace. With the PCIPB, Purdy 
worked in the areas of cyber crime, privacy protection, government procurement and 
maintenance of more secure products and systems, security of the financial sector’s 
information systems, and in promoting information sharing in industry sectors such 
as health care and finance. In April 2003, Mr. Purdy came to the Department where 
he worked on the cyber tiger team to help design and launch the NCSD in June 
2003. Following that he served as Acting Director until Amit Yoran was appointed 
Director in the Fall of 2003. 

Immediately prior to his assignment to the White House staff, Mr. Purdy served 
as Chief Deputy General Counsel and later as Acting General Counsel for the U.S. 
Sentencing Commission. The Sentencing Commission is charged with promulgating 
and updating the Federal Sentencing Guidelines for individuals and organizations, 
and for providing counsel to the Congress and others about federal sentencing prac- 
tices and policies. At the Sentencing Commission Mr. Purdy served as a member 
of the senior management team and provided legal, strategic, administrative, and 
ethical advice to the Chair and Commissioners, Staff Director and Unit Chiefs. 

Mr. Purdy graduated from the College of William and Mary and the University 
of Virginia Law School. After receiving his law degree, Purdy served as an Assistant 
Attorney General in Missouri, and then as Senior Staff Counsel to the U.S. House 
of Representatives Select Committee on Assassinations’ investigation of the assas- 
sination of President Kennedy. He subsequently served as an Assistant U.S. Attor- 
ney in Philadelphia where he concentrated on investigating and prosecuting white 
collar crime. Following his service as a federal prosecutor, Mr. Purdy returned to 
Washington, D.C. to serve as Counsel to the U.S. House of Representatives Com- 
mittee on Standards of Official Conduct (Ethics). 

Mr. Purdy then moved to investigative work in network news, working as an As- 
sociate Producer for the NBC News magazines First Camera and Monitor, and then 
as the Producer for News and Politics for the CBS News broadcast NIGHTWATCH. 
Subsequently, while at the Sentencing Commission, Mr. Purdy was detailed to Cap- 
itol Hill where he worked as Counsel to the U.S. Senate Impeachment Trial Com- 
mittee for the impeachment trial of then-chief federal judge Walter Nixon of Mis- 
sissippi. 

Mr. Purdy lives in Bethesda, Maryland, with his wife Robin Fader, an Emmy 
Award winning television and commercial producer, and their daughter, Alexandra, 
who is 10 years old and has a certified black belt in Tae Kwon Do. 

Chairman BOEHLERT. Thank you very much, Mr. Purdy. 

Mr. Leggate. 

STATEMENT OF MR. JOHN S. LEGGATE, CHIEF INFORMATION 
OFFICER AND GROUP VICE PRESIDENT, DIGITAL & COMMU- 
NICATIONS TECHNOLOGY, BP PLC., UNITED KINGDOM 

Mr. Leggate. Thank you, Mr. Chairman, and thank you, distin- 
guished Members. 

My name is John Leggate. I am CIO for BP, and this morning, 
I also represent BENS, which is Business Executives for National 
Security in the U.S., a large organization whose interest, of course, 
is improving the nature of business and its dependency on the 
Internet. 

By way of context, also, BP happens to be the biggest provider 
of oil and gas in the United States. So, in fact, in our normal busi- 
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ness, we take the whole issue of national security as a very, very 
fundamental part of what we do for the United States. 

Anyway, going on from that, this topic, as you said, Mr. Chair- 
man, has actually been in our minds for some time. It has been 
around, and I think what I would like to do here is point to two 
things just to simply portray a little bit more of why this is so im- 
portant today and a few ideas on the way forward above and be- 
yond what is said here. 

Almost by stealth since the fail of the dot-com era companies 
have actually been moving towards the Net progressively. We have 
done survey work, and our most recent survey would say, in the 
energy sector, the chemicals and transport sector, up to 30 percent 
of their revenues come from work done on the Internet today in the 
United States. In a sense, the dependency is very clear and grow- 
ing. 

And the second point, after Mr. Purdy’s point, the nature of busi- 
ness automation regarding running process plants, refineries, and 
chemical plants are now moving to a place where they look simply 
like regular computers. They are not different systems anymore. 
And the capacity for these systems then to be impaired is quite im- 
portant. In fact, with time, we see a bigger growth in what we call 
machine-to-machine information flow than simply humans on the 
Internet, per se. I mean, today, in the world, I think at any point 
in time, 200 million people are on the Internet with a billion pos- 
sible connections going on. 

So moving on from that to say this is a big issue. The thing that 
I would note, it isn’t simply cyber security but the confluence of 
cyber and physical security in the Internet. Solving the cyber issue 
doesn’t solve the reliability or the vulnerability of the Internet. 
There are number of points in the world which are well disclosed 
where big nodes come together. There are critical points that you 
can find. If you choose to scan the Internet, you will see these 
today where it all comes together. And of course, it is — that be- 
comes another big issue as to who is in charge. How should we se- 
cure or harden these particular environments? 

So another area to think about in all of this conversation is mak- 
ing sure we touch on the edges on the nature of the physical dis- 
tribution of the Internet. Now you might say, “What are companies 
doing for themselves in the space, because clearly they should be 
self-reliant?” And we are pretty well. But in a sense, what we do 
control, if you like, is the last mile, the mile into our premises. But 
the millions of miles of Internet, we have no control over and no 
say-so on its deliverability or its resilience. So all of this traffic is 
heading to a place where it is almost out of reach of the businesses, 
but because of economic pressures, efficiency, and almost an al- 
ways-on environment which we demand nowadays, the job is on. 

So that broadly says that the problem is real. It is big and prob- 
ably getting bigger with time. And the dimensions are not well 
aware with policy makers. In my job, I travel around most of the 
world, and I would say the same level of lack of knowledge of the 
dependency of real business, if you like, world trade is now coming 
to the Internet. 

Look at the United States where we have eight channels of prin- 
ciple critical national infrastructure and trace it all back, most of 
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it ends up somewhere back on the Internet. So if you look through 
energy, transportation, aviation, it all comes, to some point, to 
some degree, to the Internet. 

And then to look forward more optimistically say what there is 
to do, I would offer there are two areas to think about. One is fix- 
ing what we have. And we have heard from Mr. Purdy various en- 
deavors to do that. I would only add to his remarks and say what 
business would look at isn’t simply the risk envelope but the con- 
sequences. Within a major corporation, as in BP, the number of at- 
tempts or events per day that come into the system is between a 
half million and a million attempts on the Internet. Of those, only 
a handful really matter to the company. 

And the issue is how do you screen out the knives on the Inter- 
net and get to the issues that actually ultimately take out business 
and make it quite difficult. So working with that, certainly busi- 
nesses want to become more aligned with activities of the agencies 
to bring forward the notion of risk management and consequences 
into this conversation so that the money is spent wisely on the 
right priorities. Because you can imagine, you could do a ton of re- 
search across a large landscape and not nail the problem. 

So the question is how do you converge the issue in the near- 
term, in the course of 2006, 2007, and 2008 to put this into a much 
better state? So that is one aspect of the way forward. 

I think the other aspect of the way forward is really a new con- 
versation, and I will call it mixed generation Internet, not Internet 
2, which is basically in the scientific domain, but looking 20 years 
out. Most of all, of the United States to start a conversation that 
moves us to the next generation, if you like, of public utility, i.e., 
in order so business can progress. Already, in my travels to the Far 
East, countries like South Korea and Japan are talking of moving 
to IPv6, and so we are going to end up, at some stage, with dif- 
ferent initiatives in different geographies but no one really holding 
the game plan, the overall strategic intent, or I would call it, tech- 
nology development map, even the governments. Who gets to say 
in such a complex world? 

So from my point of view, let me summarize and say the issue 
is real. We should not be distracted into the near-term issues 
alone, but also take the position, I think, through this committee 
to discuss what is the nature of the strategic intent for the future 
that ensures world trade carries on in the way it is. 

Thank you, Mr. Chairman. 

[The prepared statement of Mr. Leggate follows:] 

Prepared Statement of John S. Leggate 

BUSINESS CONCERNS FOR THE INTERNET 

STATEMENT OF THE ISSUE 

The Internet is rapidly becoming the backbone of the world economy. This is par- 
ticularly true for the United States where the use of the Internet underpins many 
aspects of the U.S. economy and national critical infrastructure (e.g., energy, water, 
transportation). Given this fundamental dependency on its continuous availability, 
the public Internet must be better protected, managed and controlled. In the longer- 
term, the U.S. should take a leadership role in creating the next generation Global 
Internet. 
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SUMMARY OF THE ISSUE 

The growth of Internet use has been nothing short of extraordinary. ^ Almost by 
stealth since the dot com collapse, governments, public bodies and large and small 
scale businesses have been transformed to operate with the Internet as a core piece 
of business infrastructure. Businesses from all over the world have found the Inter- 
net to be a cost effective and reliable business tool. Indeed, in the last few years, 
in addition to conventional business transactions, many of the controls systems 
(SCADA) that support national and public utilities are adopting the Internet as a 
core data transport method.^ This has resulted in businesses and societies becoming 
critically dependent on the continuous operation of the Internet.^ 

Businesses have moved from dial-up and dedicated point to point leased lines to 
committing mission critical digital traffic to operate on the Internet, yet with no 
practical alternative to maintain business continuity. However, the Internet is most- 
ly run by groups of diverse academic and non-profit organizations which operate via 
loose consensus. Many governments have apparently not yet fully grasped that na- 
tional and international economies and their citizens are now dependent on this net- 
work of networks — i.e., the global communications backbone. 

In its current operation the Internet has well known physical and logical security 
weaknesses both nationally and globally. What is not truly known is the potential 
business impact of these weaknesses on the U.S. and the world economy. Continued 
operation is presumed, but is in no way guaranteed. This is compounded by the poor 
understanding of dependency/interdependencies between companies and critical in- 
frastructures supporting nations/regions. 

Global competition has driven the need for ever increasing levels of productivity 
and innovation from businesses and this has driven the demand for cheaper and 
more ubiquitous communications. The nature of the architecture of the Internet has 
allowed it to carry an ever increasing variety of services, with ever decreasing costs. 
These forces are driving applications, services and business processes from every 
sector onto the Internet. Businesses that fail to exploit these cost and performance 
advantages are at a competitive disadvantage. 

Today, at moment there are some 200 million individuals active on the Internet. 
By the end of 2005, at least one billion people will have access to its enormous re- 
sources."^ Also there are as many automated systems — including SCADA systems, 
CCTV, pipelines, electricity grids, e-mail servers, inventory systems and medical 
monitoring devices. These systems often communicate over the Internet without 
human intervention. This machine-to-machine communication is growing dramati- 
cally and could supplant interactive use by people in a few years.® 

In 2004, $6.9 trillion of the $55.6 trillion of worldwide trade was directly trans- 
acted over the Internet.® Of the remaining trade there was a significant proportion 
that relied on supporting activity using the Internet for communication — including 
specification queries, logistics and links between internal processes within compa- 
nies. Even financial institutions use the Internet for many routine electronic funds 
transfers.'^ Significantly, in 2004 and in the U.S. alone, 14.8 million high tech jobs 
relied directly on the Internet.® 

In the past there have been attempts to address the issues of security, operational 
stability and reliability but with limited success. For example, work conducted by 
the President’s Commission on Critical Infrastructure Protection (PCCIP) nearly ten 
years ago, raised vulnerabilities that are apparently yet to be addressed.® It set a 
goal of a reliable, interconnected, and secure information system infrastructure by 
the year 2003. Is the context and sense of urgency different today? 

This paper explains why the context is now so very different. In the ’80s and early 
’90s companies were not using the Internet in anything like the same way or to the 
same scale as they do today. Private networks were the common means of commu- 
nication. The companies providing Internet infrastructure were justified in treating 
identified weaknesses as rather academic and with little economic importance. 

However, things have changed and in ways that often only businesses directly 
using the Internet can articulate.^® Companies can, and do, take security measures 


1 Lazarus Research Group 

2 Internet Security Systems 

3 Jupiter Research 
"^Meta Research 

® ZDNet Research 
® Forrester Research, Inc. 
"^Forrester Research, Inc. 

® University of Texas-Austin 
9 PCCIP Report 1997 
^9 See Appendix. 
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to protect the systems they run and the services directly under their immediate con- 
trol. But they can do little, to protect the external network infrastructure on which 
they rely or even engage in a meaningful dialogue about fundamental performance 
expectations. Previous work in evaluating risks to the Internet has almost entirely 
focused around a dialogue between supply-side telecommunications/IT companies 
and government.i'^ We therefore only have half the picture, knowledge of inter- 
dependency between supply and demand-side for Internet services clearly needs to 
be shared. 

Even more troubling is that many demand-side organizations do not realise how 
dependent they are on the Internet. Corporations have become linked to the Inter- 
net in ways that are not always easily discerned. For example, a major corporation 
that depends on a third party’s logistical services may be surprised to learn that 
their supplier communicates internal orders and status using the Internet, or that 
an electric utility they depend upon has moved its process control network to run 
over the Internet. 

These cascading dependencies all too quickly create ‘domino effects’ that are not 
obvious to the corporate customer or to the policy-maker. They are usually only dis- 
covered during unplanned outages when capabilities begin to degrade or fail in un- 
expected ways, or are discovered during widely-based crisis management exercises. 
Businesses and governments can plan for expected failures. But even the best pre- 
pared organizations and corporations may be woefully inadequate in responding to 
complex, low probability, high impact failures. If a large scale Internet outage or 
significant reduction in performance were to occur, the unexpected effects on whole 
sets of industries, utilities and enterprise could have surprisingly large economic 
and societal impacts. 

Whether the failure of the Internet arises through error, a worm-writers experi- 
ment, or more directed physical or cyber attacks, vulnerabilities exist and this is 
a real and present risk. Recent reports about “Cyber attack” attempts being devel- 
oped and the posting of hacker tools with directions on some of the extremist’s 
websites may be warning signs. 

BROADER CONTEXT 

It is worth recalling that the Internet was set up as a government sponsored 
project, with the U.S. Government as the primary customer and ‘anchor tenant.’ Its 
creation was a bold and dramatic step-out that went on to evolve into a remarkable 
resource that has significantly exceeded the wildest imaginings of its creators. As 
a result it is being used far beyond anything envisaged in the original designs. 

Since its creation, the Internet has developed rapidly in scale, but its technical 
design has progressed more through steady incremental evolution than through any 
step change. The “grass roots” and academically-based standards setting process of 
the Internet Engineering Taskforce (IETF) has had great success. However, the 
down-side of this consensus approach is that entity wide coordination and alignment 
is difficult to achieve and step changes are difficult to implement. Internet stand- 
ards setters are a community of interest and as such they share interests, but they 
do not share goals and timescales in the way that a project with a clear mandate 
does. 

This diversity of interest has been compounded by the loss of the primary cus- 
tomer, i.e., the U.S. Government, driving operational performance requirements, 
since they have started to use alternative infrastructures for extra critical services. 
Instead of a single ‘anchor tenant,’ the Internet now has countless customers drawn 
from many governments, corporations and individual users and is thus driven by 
a very diverse range of agendas, without a clear priority setting process. This will 
further slow change and adaptation to the new and emerging context of Internet 
use. 

The question we need to ask is whether incremental change will be sufficient to 
address the current physical and digital integrity weaknesses. The current defi- 
ciencies on the Internet may well be filled by tactical repairs, but the potential gap 
of predictable demand for high volume traffic with high quality services and the in- 
tractable vulnerabilities will require a more radical approach. Arguably the risks we 
are seeing, illustrated by spreading worms and viruses and underlying common 
mode weaknesses in technologies and physical infrastructure are systemic and sys- 


National Security Technology Advisory Committee (NSTAC) and the National Infrastruc- 
ture Assurance Council (NIAC). 

12 Drawn from I-space theory. Max Boisot, INSEAD. 
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tematic in nature. Systemic and systematic risks can only be addressed through 
coordinated rather than isolated action. A fact well illustrated by other complex sys- 
tems such as vaccination statistics and epidemiology in the medical world and in 
the risk management intervention required in national and global banking sys- 
tems, Many of these risks have no geographic or country boundaries — impact and 
influence is global. 

The widespread globalization of the Internet also introduces a further develop- 
ment complexity. Scores of countries now have fundamental interests in its evo- 
lution and some are even orchestrating local step-changes in technology, However, 
no country has yet felt able to propose fundamental change on a global basis. Within 
the U.S., the Internet is seen in many quarters as the starting point for the Na- 
tional Information Infrastructure (Nil). Around the world, there is growing recogni- 
tion that the set of Nils (assuming each country commits to developing one) should 
be compatible with each other in an — as yet — undefined way. Who should take the 
lead in ensuring this compatibility? There is clearly an important role for govern- 
ment leadership in framing this strategic agenda — with strong collaboration with 
commerce and business. 

In practice, the technical scope of the Internet already goes beyond that defined 
as “Internet services.” Ultimately, the communication pathways must enter the 
user’s machine/other digital devices, pass through layers of software and end up in 
applications programs. The computer industry, along with the many vendors of com- 
puter-related equipment, must play a role in determining how this aspect of the 
Internet will evolve and therefore form part of the supply-side. A key to the success 
of the Internet is to ensure that the interested parties have an equitable way of par- 
ticipating in its evolution, including participation in its evolving standards process 
and technology roadmap. A proper role for governments would be to oversee this 
process to make sure that it meets the wide spectrum of public and industry needs. 

Yet further complexity and dependency is being introduced by a new breed of 
service providers who are offering services that will continue to supplant alternative 
networks. Telephony (through Voice Over IP), television, radio and almost all forms 
of communication are migrating to the Internet or including the Internet as a key 
component in the communication path. 

CONCLUSIONS ON CURRENT POSITION 

• There are no clear accountabilities or guarantees for the continuity of oper- 
ation of the Internet. Even weaknesses known about for some time have not 
yet been addressed. 

• A significant and growing proportion of the world economy is dependent on 
the Internet. 

• The Internet is currently subject to technical and geopolitical risk and there- 
fore not only the U.S. economy, but economies worldwide, are at risk. 

• The U.S. Government itself is no longer fully dependent on the Internet, as 
it has alternative networks at its disposal for critical services. Thus the Inter- 
net has moved from having a single ‘anchor tenant’ to a diverse community 
of stakeholders without a voice in the operational performance expectations 
of the current Internet. 

• New technologies and emergent Internet uses, such as Voice Over IP and 
widespread control system connectivity, are increasing dependency and 
compounding the risk. 

OPTIONS ON THE WAY FORWARD 

We would consider a two-pronged approach, to address both the immediate risk 
and the strategic opportunity: 

1. Short-Term 

To address immediate concerns a series of in-depth and as necessary classified 
studies, workshops and truly cross-sectoral exercises should be held to allow busi- 
nesses (that deliver critical aspects of national infrastructure — e.g., energy, trans- 
portation and financial) and governments to share critical information under the 
Protected Critical Infrastructure Information (PCII) Program. The goal of this work 


Illustrated by work from the Cooperative Association for Internet Data Analysis 
(www.caida.org). 

Drawn from standard epidemiology texts and banking risk texts and the opinions of bank- 
ing regulators. 

For example, the broad introduction of IPv6 in Korea and Japan. 
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would be to map the business reliance upon the Internet against known areas of 
risk and develop a priority plan to focus actions that are necessary for increasing 
its robustness and integrity. 

The work could start with the scope of the U.S. economy in a global context. Inter- 
dependency should then dictate that it be extended in the first instance to other 
countries from the G8 and EU. 

2. Medium-Term 

There is a need to create the next generation Internet in a form that would be 
able to handle the emerging demands of business, civil societies and governments. 
This would include the technical design necessary to meet physical and logical di- 
versity and resilience. In addition, the program should include the development of 
a Global Internet Management Framework that addresses broad policies and stand- 
ards, clarity of operational accountabilities, and technology roadmaps. The goal 
should be to assure the performance and digital integrity of the new Global Inter- 
net, in terms of resilience to physical and cyber-security risks, supplier commercial 
failure, and broader geopolitical risks. 

We believe the U.S. should take a leading role in this proposed global initiative. 

Thank you for the opportunity to express the views of the business community. 
I look forward to continuing our conversation as our CEO roundtable at BENS 
(Business Executives for National Security) progresses. We look forward to contrib- 
uting to the actions that we propose. 
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APPENDIX 

Business Criticality Data 

Having recognized the potential for serious negative impact on the U.S. critical 
national infrastructure in the event of a significant interruption of Internet service, 
a group of concerned business people carried out an informal survey of key sector 
companies in early 2005. The graph below shows the findings from that survey, in- 
dicating the level of dependency these sectors have on the Internet. 


Percentage of Revenue Dependent on the Internet 
(informal poll of 5000 companies) 



Financial Services Telecommunications Chemical Energy Transportation 
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Biography for John S. Leggate 

As CIO of BP, John Leggate is responsible for the development of BP’s digital ca- 
pability — its related systems, technology, business processes and business opportuni- 
ties — across the company’s global operations. Exploration and Production, Refining 
and Marketing and Trading. 

John was elected a Fellow of the Royal Academy of Engineering in July 2005. He 
was also honored as Commander, The Most Excellent Order of the British Empire 
(CBE) by the Queen in her 2004 New Year’s Honour List. This is in recognition of 
an outstanding contribution and leadership of the international digital technology 
agenda. 

A chartered engineer, a graduate of Glasgow University and a Fellow of the lEE, 
began his career in marine consultancy and nuclear energy before joining BP Explo- 
ration in 1979. During the 1980-90s he held posts of increasing responsibility in the 
management and operating of BP’s North Sea oil and gas assets. 

In 1998, he was appointed President of BP’s Azerbaijan International Operating 
Company, in which capacity he was tasked to manage IIP’s interests in the unfold- 
ing geopolitical and economic debate that centered on crude oil export routes from 
the Caspian Sea. 

John has a particular interest in leadership, the management of high-performance 
teams and organizational change. 

He is married with two children, lives in London and travels widely on behalf of 
the company. 
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Chairman BOEHLERT. Thank you very much, Mr. Leggate. 

Mr. Kepler. 

STATEMENT OF MR. DAVID E. KEPLER, CORPORATE VICE 

PRESIDENT OF SHARED SERVICES AND CHIEF INFORMA- 
TION OFFICER, THE DOW CHEMICAL COMPANY 

Mr. Kepler. Thank you, Chairman Boehlert and Ranking Mem- 
ber Gordon, for allowing me to share my thoughts on this impor- 
tant topic. 

Mr. Chairman, before I begin, our thoughts and prayers go out 
to the millions of Americans, including many of our 7,000 employ- 
ees, on the Gulf Coast who have lost so much from Hurricane 
Katrina. 

The importance of information infrastructure for communications 
and emergency response in a national crisis has never been more 
apparent. 

I am Dave Kepler, Corporate Vice President of Shared Services 
and Chief Information Officer of the Dow Chemical Company, the 
world’s largest chemical and plastics producer. 

I am also here as Chairman of the Executive Board of our Indus- 
try Cyber Security Program. Our mission is to understand, prior- 
itize, and coordinate our efforts to address cyber security risks. 

Today, I would like to discuss the role of information technology 
in our sector, describe the cyber security threats we face, and high- 
light what is being done to address these threats. I will also sug- 
gest areas where I think government can help. 

With $109 billion in exports, the chemical industry is the largest 
exporter in the U.S. economy. We employ one million Americans 
and are one of the largest private industry investors in research 
and development. Our products help keep the water we drink safe, 
increase productivity of agriculture, enable medical innovations, 
and are essential to homeland defense and the war on terror. 

It is in our nation’s interest to have a competitive chemical in- 
dustry. Information technology is key in maintaining that competi- 
tiveness. At Dow, information technology is fully integrated into all 
aspects of our business, and advanced technology is used to secure 
our facilities. We rely on the automation and integration of our 
processes to drive productivity, quality, and safety. 

The Internet is a valuable communications tool essential to pub- 
lic safety and emergency response. For example, when all of the 
phone service was disrupted from the hurricane, Dow was able to 
use the Internet and Internet-based phones to communicate with 
our people in the region. 

In 2004, chemical industry executives conducted an industry vul- 
nerability assessment. We concluded that, unlike an attack on 
other critical infrastructures, a security breach from cyber would 
not cause cascading impact across the chemical industry. However, 
we believe the highest concern for our industry is the potential of 
a combined physical and cyber attack. 

There are three specific areas for concern in the chemical indus- 
try. 

One, using information on shipments, product inventory, or sites 
to construct a physical attack. That is why Dow has set in place 
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practices, policies, and technologies to protect critical plant systems 
and corporate networks. 

Two, using false identity to acquire chemicals for improper use. 
Our company counters this threat by pre-identifying and verifying 
customers. 

Three, gaining inappropriate access to systems to cause isolated 
disruptions. At Dow, operating practices and authentication tech- 
nologies are continuously being upgraded to restrict access based 
on roles and clearances. 

Our company has conducted a comprehensive cyber security risk 
analysis, and we have used the Sandia National Lab’s methodology 
for assessing vulnerabilities for our sites and manufacturing facili- 
ties. Dow has developed a cyber security management plan, and we 
continue to test and upgrade our plans in all areas of security. 

But we cannot address cyber security threats alone. Security of 
the communications and Internet infrastructure is beyond any one 
sector’s control. Protecting these vital assets from a significant at- 
tack, whether physical, cyber, or a combination, is of utmost impor- 
tance. 

So what role does government play? 

The Department of Homeland Security must contend with the 
real threat of attacks by people, organizations, or nations intent on 
causing significant disruptions to our economy and way of life. Pro- 
tecting communications in the event of a national emergency must 
be a priority along with threat monitoring and modeling, authen- 
tication methods and information protection. We must understand 
how to prevent attacks, what is needed to defend against attacks, 
and how to recover infrastructure from a catastrophic failure. De- 
partment of Homeland Security resources and R&D efforts must be 
dedicated to the big picture. 

In closing, we are encouraged by the Department’s work to pro- 
vide — the work with the private sector to reduce vulnerabilities and 
minimize the severity of cyber attacks. But more needs to be done 
to share and protect relevant information across all sectors and 
government. Government crisis management and disaster recovery 
plans must include industry participation, coordinated emergency 
response, and ongoing monitoring, and managed recovery efforts 
with government and industry together are critical. 

Thank you, and I will be happy to answer any questions at the 
end. 

[The prepared statement of Mr. Kepler follows:] 

Prepared Statement of David E. Kepler 

Thank you Chairman Boehlert and Ranking Member Gordon for allowing me to 
share my thoughts on this important topic. 

Mr. Chairman, before I begin, our thoughts and prayers go out to the millions of 
Americans, including many of our 7,000 employees on the gulf coast who have lost 
so much from Hurricane Katrina. 

Our number one priority is the safety and well-being of our employees and the 
communities impacted by this disaster. We are committed to safely returning our 
facilities to full operation and contributing to the recovery efforts. The importance 
of information infrastructure for communications and emergency response in a na- 
tional crisis has never been more apparent. 

I’m Dave Kepler, Corporate Vice President of Shared Services and Chief Informa- 
tion Officer of The Dow Chemical Company. Dow is the world’s largest chemical and 
plastics producer with annual sales of over $40 billion serving customers in markets 
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such as: food, transportation, health and medicine, personal and home care, and 
building and construction. 

I am also here as the Chairman of the Executive Board of the Chemical Sector 
Cyber Security Program. This effort was established in 2002 to coordinate the sec- 
tor’s activity and to align with the U.S. Government’s National Strategy to Secure 
Cyberspace. The program’s mission is to understand the risks we face as a sector 
and coordinate and prioritize our efforts to reduce those risks. Leadership for this 
program is provided by the chemical industry’s leading CIOs, and leverages exper- 
tise from existing organizations: chemical trade associations, the Chemical Industry 
Data Exchange, and the Chemical Sector Information Sharing and Analysis Center. 

The five strategic elements of the program are: 

• Broad support and participation throughout the sector 

• Engagement with government to ensure effective measures to secure cyber- 
space 

• Identification and reduction of infrastructure vulnerabilities to guard against 
cyber attacks and speed recovery from incidents 

• Establishment of management practices and guidance to support overall sec- 
tor cyber security 

• Ongoing coordination with technology providers, government and academia to 
accelerate development of improved, cost-effective solutions. 

The program produced comprehensive cyber security guidance which was built 
into the Responsible Care Security Code in 2004. Implementation of the Responsible 
Care Security Code is mandatory for all members of the American Chemistry Coun- 
cil and has also been adopted by the Synthetic Organic Chemical Manufacturers As- 
sociation. 

Our sector continues to work closely with the Department of Homeland Security, 
standards bodies such as the National Institute of Standards and Technology (NIST) 
and industry organizations such as Instrumentation Systems and Automation (ISA) 
to share the latest best practices and to develop new standards to defend against 
cyber attacks. 

Today, I would like to discuss the role of information technology in our sector, de- 
scribe the cyber security threats we face and highlight what is being done to address 
these threats. I will also suggest areas where the government can help. 

Let me begin by outlining the importance of our sector to our nation’s economic 
well-being and security — enabling 25 percent of our nation’s GDP. With $109 billion 
dollars in exports, the chemical industry is the largest exporter in the U.S. economy. 
We employ one million Americans and are one of the largest private industry inves- 
tors in research and development. Our industry makes modern life possible, from 
plastics to pharmaceuticals, from cars to clothing. Our products help keep the water 
we drink safe, increase productivity of agriculture, and enable medical innovations 
that prevent and treat disease. Our industry is also essential to homeland defense 
and the war on terror — making products that go into bullet-resistant vests, night 
vision goggles and stealth aircraft. 

Our industry’s safety culture and history of cooperative voluntary initiatives, part- 
nerships with local. State and Federal Government agencies, and strong support for 
research and development, position us well to address new security challenges. For 
example, the industry joined forces to develop the American Chemistry Council’s Re- 
sponsible Care Security Code — building upon long-standing industry safety and 
emergency response programs. 

All aspects of security are integrated into the Security Code including physical 
plant security, transportation security, as well as cyber security. Implementation of 
the Responsible Care Security Code is mandatory for all American Chemistry Coun- 
cil members leading to over $2 billion in investments to improve security and pre- 
paredness across our industry. 

Cyber security has been on our radar screen long before the tragic events of 9/11. 
At Dow, for example, we have had policies and practices in place for securing our 
information assets for many years. These cover the use of the Internet, integration 
of systems, and automation of manufacturing control. The emergence of a significant 
terrorist threat with the events of 9/11 added urgency and focus to our efforts. It 
was this event that prompted the establishment of the Chemical Sector Cyber Secu- 
rity program. 

It’s in our national interest to have a competitive chemical industry, and informa- 
tion technology is key in maintaining that competitiveness. At Dow, information 
technology is fully integrated into all aspects of our business — research and develop- 
ment, manufacturing, accounting, logistics and sales to name just a few. We also 
use information technology to interact with government agencies and to report our 
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re^latory compliance. Advanced technology is also being leveraged to secure our fa- 
cilities and the distribution of our products. We rely on automation and integration 
of our processes to drive productivity, quality, and safety. 

At Dow, approximately 15 percent of our orders are via the Internet, and nearly 
all of our customers use the Internet to learn about our products, track orders, and 
get technical support. The Internet is also a valuable communications tool — essen- 
tial to public safety and emergency response. For example, in the aftermath of 
Katrina when all phone service was disrupted, Dow was able to use Internet based 
phones to communicate with our facilities in the region. 

In 2004, chemical company executives conducted an industry-level vulnerability 
assessment to determine the potential impact of cyber security threats. We con- 
cluded that, unlike an attack on other critical infrastructures, a cyber security 
breach would not cause cascading impact across the chemical industry. 

We believe the higher concern for our industry is the potential of a combined 
physical and cyber attack or the criminal use of illegally obtained information. 

There are three specific areas of concern for the chemical industry: 

1. Using information on shipments, product inventory, or sites to construct a 
physical attack. That’s why Dow has set in place policies, practices and tech- 
nologies to protect the linkage of critical plant systems with corporate net- 
works. 

2. Using false identity to acquire chemicals for improper use. Our company 
counters this threat by pre-identifying and verifying our customers before 
electronic orders. 

3. Gaining inappropriate access to systems to cause isolated disruptions. At 
Dow, operating practices and authentication technology is continuously being 
upgraded to restrict what people can do based on roles and clearances. 

For obvious reasons, I cannot get into all we do to protect ourselves, but here are 
some additional steps that Dow has taken to combat these threats. 

Addressing people, process and technology, we have: 

• Developed a company-wide cyber security management plan that includes in- 
cident management and business continuity. 

• Completed a comprehensive cyber security risk analysis based on the ISO in- 
formation security standard, ISO/IEC 17799. 

• Used the U.S. Government Sandia National Labs methodology for assessing 
vulnerability of our sites and manufacturing facilities — including a review of 
physical, process, and cyber vulnerabilities. 

We continue to test and upgrade our plans in all areas of security. 

Although much has been done within the chemical sector, we cannot address 
cyber security threats alone. Security of the Nation’s telecommunications and Inter- 
net infrastructure is beyond any one sector’s control. Protecting the Nation’s critical 
communication and information infrastructure from a significant attack, whether 
physical, cyber, or combined, is of the utmost importance. 

So, what role should the government play? While there are many issues impacting 
secure computing today such as random hacking and the e-mail virus of the day, 
the Department of Homeland Security must contend with the real threat of attacks 
by people, organizations or nations — intent on causing significant disruption to our 
economy and way of life. Targeted attacks that could have a major economic or so- 
cial impact must be the priority as well as protecting our communications capability 
in the event of a national emergency. 

Department of Homeland Security resources and research and development efforts 
should be dedicated to addressing these ‘big picture’ threats to benefit all sectors 
and improve our national security. Threat monitoring and modeling, better methods 
for authenticating identity, and information protection should be research priorities. 
Efforts should include understanding how to prevent attacks, what resources and 
tools are needed to defend against attacks, and what it would take to reconstitute 
our information technology infrastructure in the event of a catastrophic failure. 

We are encouraged by the Department’s work with the public and private sectors 
to reduce vulnerabilities and minimize the severity of cyber attacks. But, more 
needs to be done around the sharing and protection of relevant information across 
all critical sectors and government. Finally, government crisis management and dis- 
aster recovery plans must include industry participation. As witnessed in the after- 
math of Katrina — coordinated emergency response, ongoing monitoring, and man- 
aged recovery efforts with government and industry are critical. 

We believe continued and expanded cooperation between our critical sector, the 
Department of Homeland Security and other government agencies as well as infer- 
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mation technology providers is vital to reduce vulnerabilities and enhance prepared- 
ness. 

Any efforts to improve cyber security must: 

• Start and end with the commitment to be a risk-based, outcome-focused pro- 
gram. DHS must focus on the real threat of criminal attacks by people, orga- 
nizations or nations. 

• Recognize that cyber security is an integral part of overall security, and build 
upon the work to date of the chemical sector security programs such as the 
Responsible Care Security Code and the Chemical Sector Cyber Security Pro- 
gram. 

• Recognize the high degree of integration of the chemical sector with other 
critical infrastructure sectors, as well as the importance of our industry to our 
homeland defense and economic security. 

In closing, we are committed to ensuring the security of our company and to tak- 
ing a leadership role in improving overall security across our industry. Information 
sharing and continued cooperation between our sector and the Department of Home- 
land Security is critical. Above all else, efforts must be focused on those threats of 
greatest impact and concern to our national security, while addressing the unique 
needs of each sector. 

Thank you and I’d be happy to answer any questions. 

Biography for David E. Kepler 

D.E. (Dave) Kepler is Corporate Vice President of Shared Services and Chief In- 
formation Officer (CIO) of The Dow Chemical Company. In this capacity, Kepler has 
global responsibility for Customer Service, Information Systems, Purchasing, Six 
Sigma, Supply Chain and Work Process Improvement. He is also a member of the 
Office of the Chief Executive (OCE). 

Kepler joined Dow in 1975 in the Western Division Computer and Process Sys- 
tems group. After progressive Commercial and Information Systems roles through- 
out the United States, Canada and the Pacific, he was named Director of Chemicals 
and Plastics Information Systems in 1993. In 1995, Kepler assumed additional re- 
sponsibility as Director of Global Information Systems Applications. He was ap- 
pointed Vice President and CIO in February 1998, and in 2000, assumed the role 
of Corporate Vice President of eBusiness. In 2002, Kepler undertook commercial re- 
sponsibility for the Advanced Electronic Materials business and further expanded 
his role the following year, adding responsibility for Global Purchasing and Supply 
Chain. Kepler assumed his most recent role in January 2004. 

Kepler serves on the Board of Directors of the U.S. Chamber of Commerce. He 
is a member of the American Chemical Society and the American Institute of Chem- 
ical Engineers. In addition, he leads the Executive Committee of the Chemical Sec- 
tor Cyber Security Program. Locally, Kepler serves on the Board of Directors for the 
Midland Community Cancer Services and Alden B. Dow Museum of Science and 
Art. He was the 2004 United Way of Midland County Campaign Chair. 

Kepler received a Bachelor’s degree in chemical engineering from the University 
of California at Berkeley. 
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Chairman Boehlert. Thank you very much, Mr. Kepler. 

Mr. Freese. 

STATEMENT OF MR. GERALD S. FREESE, DIRECTOR OF EN- 
TERPRISE INFORMATION SECURITY, AMERICAN ELECTRIC 
POWER 

Mr. Freese. Mr. Chairman and distinguished Members of this 
committee, thank you for the opportunity to appear before you 
today. 

My name is Gerry Freese, Director of Enterprise Information Se- 
curity at American Electric Power. I am also here representing the 
North American Electrical Reliability Council in Princeton, New 
Jersey. 

AEP is the largest provider of electricity in the country with over 
five million customers in 11 states, and I am responsible for infor- 
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mation security for all corporate and operational systems and net- 
works, including those used in the operation of the hulk power sys- 
tem. 

Before I address the three questions posed to the presenters, I 
would like to preface my remarks. 

In the aftermath of Hurricane Katrina, we have seen the suf- 
fering and the unprecedented devastation in Louisiana and Mis- 
sissippi. We have seen the confusion and chaos when essential 
services were no longer functioning. We have seen how critical in- 
frastructure can he destabilized and destroyed when links are bro- 
ken in its complex chain of multiple interdependencies. Whether 
the cause is a natural disaster or a terrorist attack, the impact on 
people and the economy is horrendous. 

Critical infrastructure industries, by virtue of their interdepend- 
encies, have a responsibility to work across all sectors, and this in- 
cludes the Federal Government, to mitigate risk, ensure service 
continuity and an expeditious recovery in the event of a natural or 
manmade disaster. 

This hearing is timely in its intent to explore means to expand 
the cooperation and collaboration between the private and public 
critical infrastructure sectors. 

Now for responses to the three questions. 

For the first question, the electricity sector has, in many cases, 
developed its own telecommunications network for conducting elec- 
tricity operations, but it is steadily becoming more reliant on public 
networks. The electric sector uses these public networks for many 
functions with the net result that its interfaces with the tele- 
communications sector have become more numerous and complex. 
Both sectors are working together to better understand their levels 
of operational integration and in ways the vulnerability in either 
of these sectors impacts the other. 

Because of these complex and critical interdependencies, it is 
fairly clear that serious damage or disruption of telecommuni- 
cations could seriously undermine the operation and reliability of 
the electricity infrastructure. Accordingly, the electric sector has 
taken some decisive steps to secure the cyber and physical re- 
sources and will continue to invest in comprehensive and effective 
security measures. We have interim cyber security standards in 
place right now and are working diligently to move through the ap- 
proval process for a permanent, more expansive critical infrastruc- 
ture protection standard. 

The final product will strengthen cyber security across the elec- 
tric sector and lay the groundwork for greater collaboration be- 
tween industry and government. 

In response to the second question, the electric industry views 
government entities, such as DHS and DOE, as partners in sector 
cyber security. In fact, we have worked extensively with DHS, DOE 
representatives, the National Labs, and others to try and identify 
areas of focus for good security and determine means to carry out 
what we all see as primary responsibilities for national security. 

We believe the office of the Assistant Secretary for Cyber Secu- 
rity and Telecommunications should focus on several specific areas 
covering private and public sector cooperation. These areas center 
on greater awareness of critical infrastructure interdependencies. 
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information sharing between government and the private sector, 
and true, non-prescriptive partnerships. I would be happy to elabo- 
rate on those three points in the question-and-answer period, if it 
is possible. 

As to the third question regarding possible research and develop- 
ment opportunities, the electric sector is interested in continuing to 
work closely with DOE on the work being done at the Idaho Na- 
tional Lab. We believe it holds great promise as one of the best and 
most efficient means of stimulating research and developing tech- 
nical solutions to the present cyber security problems. DOE and 
DHS have provided leadership and support on this initiative, and 
the electricity industry is committed to its success. 

Regarding inadequacies of the electric sector security solution, 
the present electric infrastructure has been built over many years 
and various types of process control systems produced by a diverse 
set of vendors. These legacy systems are a large part of the reason 
that new technology security solutions cannot be more widely de- 
ployed across the industry. 

The long-term solution to this is to begin a process of rebuilding 
the old infrastructure with the ultimate goal of replacing it with 
next-generation equipment and technology. The new infrastructure 
would be based on greater levels of security and reliability with en- 
hanced design recognition of the interdependencies between the 
electric and telecommunications sectors. 

Work is already underway in this area. The Telecommunications 
and Electric Power Interdependencies Task Force is exploring the 
next generation of public networks and how the electricity sector 
will be able to use these networks of the future through the em- 
ployment of more sophisticated encryption technology and other se- 
curity measures. 

Cyber security is evolving rapidly, and all of us working in the 
discipline are tirelessly seeking more effective solutions for pro- 
tecting our critical assets and systems. We appreciate your interest 
in this topic and welcome your assistance in helping us to ensure 
our critical infrastructures are protected, secure, and reliable. 

Thank you for your attention. 

[The prepared statement of Mr. Freese follows:] 

Prepared Statement of Gerald S. Freese 

Mr. Chairman and distinguished Members of this committee, thank you for the 
opportunity to appear before you today. My name is Gerry Freese. I am the Director 
of Enterprise Information Security for the American Electric Power Company in Co- 
lumbus, Ohio. AEP is the largest supplier of electricity in the country, with over 
five million customers in 11 states. I am responsible for information security for all 
of AEP’s corporate and operational systems and networks, including those used for 
the operation of the bulk electric system. 

My reason for being here today is to talk about the cyber security needs and ac- 
tivities of the entire electricity sector, one of North America’s most critical infra- 
structures. During my career, I have worked with numerous industry-wide commit- 
tees addressing the growing need for increased security for information and cyber 
systems. This need is underscored by the sheer expanse and diversity of the elec- 
tricity sector, which is made up of large and small entities, publicly, privately, and 
government owned and operated. Through industry groups and as individual compa- 
nies, we have always placed great emphasis and the highest priority on the need 
to protect our information systems and effectively secure the data residing on them. 

Before I address the three questions posed to the presenters by the Committee, 
I want to make two points. 
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First, our industry has long-term and positive working relationships with federal 
agencies, including the Department of Homeland Security (DHS) and the Depart- 
ment of Energy (DOE). We value these relationships and want to work collabo- 
ratively to improve them even further. The recent recognition from DOE and DHS 
of the Electricity Sector Coordinating Council (ESCC) is a positive step. We firmly 
believe the relationships between federal agencies and the industry are working 
well because both the electricity sector and the federal agencies recognize the value 
in jointly addressing issues. Both the industry and government recognize the dif- 
ficulties posed by prescriptive mandates and overly rigid rules and regulations that 
stifle creative solutions to problems. 

Second, our industry continues to have concerns about the security of information 
after it is provided to the government. The electric infrastructure is one of the most 
critical infrastructures servicing the Nation and allowing us to maintain our way 
of life. Certain technical, architectural and operational aspects and details must be 
kept secure so they will not be inadvertently disclosed to those who would try to 
disrupt or destroy our social, political or economic fabric. We believe the Critical In- 
frastructure Information (CII) approach meets most of the needs for critical informa- 
tion protection but have been frustrated by an evident lack of progress in fully im- 
plementing this important safeguard. 

I will now respond to the three questions posed by the committee. In response to 
the first question, the electricity sector has, in many cases, built its own tele- 
communications networks but is steadily becoming more reliant on public networks 
as well. The electricity sector uses the public networks for many functions including 
customer service and information exchange via the Internet. It also uses the Inter- 
net and the public networks for a limited amount of telemonitoring of the electrical 
system, although this varies by individual electric company. The interdependencies 
between the telecommunications sector and the electricity sector are numerous and 
complex. Because of these complex and critical interdependencies, serious damage 
or disruption of the telecommunications infrastructure would seriously undermine 
the operation and operability of the electricity infrastructure. Both sectors are work- 
ing together to better understand their criticality and the ways that vulnerabilities 
in either of these sectors impacts the other. 

Securing the extensive, distributed and critical electric power infrastructure is a 
huge responsibility that the electricity industry takes very seriously. We have al- 
ready taken decisive steps to secure our cyber and physical resources and will con- 
tinue to invest in comprehensive and effective security measures. We have interim 
cyber security standards in place and are working diligently to move through the 
approval process a permanent, more expansive Critical Infrastructure Protection 
(CiP) standard. The permanent standard will strengthen cyber security across the 
electricity sector and lay the groundwork for greater collaboration between the in- 
dustry and government. 

In response to the second question, DHS can assist the electricity sector in cyber 
security by continuing its support of security activities like Carne^e Mellon’s Com- 
puter Emergency Readiness team. DHS also has been very supportive of other infor- 
mation sharing activities, which adds value to our industry’s security initiatives. 
Another more recent example is the Process Control Security Forum. This group is 
made up of several key industry sectors that use process control systems and in- 
cludes government representatives, academics, and vendors. The forum is working 
to develop design guidelines for the next generation of more secure control systems 
and is looking at what can be done to improve existing systems. As the forum con- 
tinues to make progress, the possibility of seed money from DHS should be consid- 
ered to stimulate the implementation of the ideas and concepts developed. 

Another way that DHS can assist the electricity sector is by helping coordinate 
research initiatives taking place in cyber security. Many of the most prestigious in- 
stitutions in America are engaged in research and development in this area. The 
missing element that hinders real progress is an overall coordination plan to avoid 
competition for funding and duplication of effort. The coordination should extend be- 
yond the borders of the United States because a number of other countries such as 
Australia, Canada, Great Britain, and Japan have also made cyber security a top 
priority. 

The third question focused on current inadequacies in security and possible re- 
search and development opportunities. The electricity industry is interested in con- 
tinuing to work closely with DOE on the work being done at the Idaho National 
Laboratory. We believe it holds great promise as one of the best and most efficient 
means of stimulating research and developing technical solutions to the present 
shortfalls in cyber security. DOE and DHS have provided leadership and support 
on this initiative and the electricity industry is committed to its success. Again, 
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DHS should coordinate this work with other projects in this topic, both domestically 
and internationally. 

The present electric infrastructure has been built over many years with various 
types of process control systems produced by a large number of vendors. The long- 
term solution to present inadequacies is to build out the old infrastructure with the 
next generation of technologies and equipment. The new infrastructure will be based 
on greater levels of security and reliability, enhanced design, and recognition of the 
interdependencies between the electricity sector and the communications sector. 
Very interesting work is already taking place in this area. The Telecommunications 
and Electric Power Interdependencies Task Force is exploring the next generation 
of public networks and how the electricity sector will be able to use these networks 
of the future through the employment of more sophisticated encryption and other 
security measures. 

The cyber security arena is evolving rapidly and all of us working in the field find 
it to be an exciting and stimulating professional challenge. Operational and security 
technologies are changing quickly. We appreciate your interest in the topic and wel- 
come your assistance in helping us to ensure that our critical infrastructures are 
protected and secure well in the future. Thank you for your attention. 

Biography foe Gerald S. Freese 

Gerald Freese is the Managing Director of Enterprise Information Security at 
American Electric Power. He is responsible for defining, developing and executing 
all information security programs to effectively protect AEP data and systems, in- 
cluding critical digital control systems. He is responsible for regulatory compliance 
and critical infrastructure protection for cyber security, and has been instrumental 
in the development of cyber security standards for the energy industry. Gerald 
Freese is a recognized security and infrastructure protection expert who brings a 
powerful combination of leadership, domain experience, technological vision and 
strategy development to American Electric Power. He is the company’s primary data 
security architect, and a strong proponent of industry and government partnerships 
for critical infrastructure protection. 

Prior to accepting a position at American Electric Power, Mr. Freese was the Di- 
rector of Security Intelligence at Vigilinx, Inc., where he developed an early warning 
and data analysis process to identify computer-based threats and attack profiles. He 
has authored in depth analytical papers on cyber-activities relative to geopolitical 
threat environments and has testified before congress on critical infrastructure 
interdependencies and control system security. Mr. Freese is a retired naval 
Cryptologic Officer with extensive experience in computer security and information 
warfare. He has held other leadership positions in the information technology indus- 
try with Perot Systems and General Dynamics Advanced Information Systems. 

Mr. Freese is a Certified Information Systems Security Professional (CISSP). He 
holds a Bachelor’s degree from State University of New York (Albany), and a Mas- 
ter’s degree in Information and Telecommunications Systems from Johns Hopkins 
University in Baltimore, Maryland. 
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September 13, 2005 

The Honorable Sherwood Boehlert 
Chairman, Science Committee 
2320 Rayburn Office Building 
Washington, DC 205 IS 

Dear Congressman Boehlert; 

Thank you for the invitation to testify before the Committee on Science of the U.S. 

House of Representatives on September IS**' for the hearing entitled '''Cybers 0 curity: 

How Can the Government Help Address VulnerabUltles in Critical Industries ? In 
accordance with the Rules Governing Testimony, this letter serves as formal notice of the 
federal funding I currently receive related to the hearing topic. 

I received no federal funding directly supporting the subject matter on which I 
testified, in the current fiscal year or either of the two proceeding fiscal years. 


Sincerely, 



Chairman Boehlert. Thank you very much. 

Mr. Geisse. After that wonderful introduction by Mr. Akin, I 
want to make sure we hear you. 

STATEMENT OF MR. ANDREW M. GEISSE, CHIEF INFORMATION 
OFFICER, SBC SERVICES, INC. 

Mr. Geisse. It doesn’t go against my five minutes, does it? 

Okay. Thank you. Chairman Boehlert, Ranking Member Gordon, 
other Members of the Committee. And I would like to thank Con- 
gressmen Akin and Sessions for that unexpected and kind intro- 
duction. 

I am pleased to represent SBC Communications on this panel fo- 
cused on cyber security within critical industries. 

SBC has a long history of providing reliable communication serv- 
ices. We provide voice and data communication services as a local 
exchange carrier in 13 states. We also provide services nationally 
as a long distance provider, data services provider, and Internet 
services. We have a national wireless presence with BellSouth in 
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Cingular Wireless, and we recognize the importance of our nation’s 
critical communications infrastructure and the role that it plays for 
the security of the United States and its citizens. Integrity and reli- 
ability of our networks have been cornerstones of the communica- 
tions industry. 

At SBC, we implement both physical and cyber security meas- 
ures that protect both our customer-serving networks as well as 
our internal information systems networks. Physical security meas- 
ures include things like guard services, card key IDs, visible badge 
policies, video monitoring, and in special cases, biometric type secu- 
rity. 

Information security, though, begins with the employee, and it 
begins as being part of our code of business conduct that every em- 
ployee has to read and sign off on each year. We segment our inter- 
nal network connections from our external network connections 
using various security technologies to ensure the integrity of our 
networks. We keep our internal core business network separate 
from the general employee network, and we use virus protection 
software, of course, on all of our PCs as well as our e-mail servers. 

Proactive vulnerability scanning is a key part of our strategy, 
and it is something that we do on a daily basis. SBC maintains 
close ties to government agencies responsible for national security. 
We work closely with them on a daily basis to receive and share 
security-related information. Examples are the National Security 
Telecommunications Advisory Council, the National Coordinating 
Center Telecom Information Sharing and Analysis Center, 
Infragard, and the National Security Information Exchange. 

Continued government focus on security standards and collabo- 
rative support organizations is seen positively by SBC; providing 
research assistance, grants, and funds to focus the information 
technology industry to work towards security standards and best 
practices is absolutely necessary. It is important that the govern- 
ment provides to the critical industries that are part of our infra- 
structure the best practices that they learn from their own cyber 
security agencies. 

Society in the 21st century is rapidly changing with increasing 
reliance on information technologies. Users expect that they be mo- 
bile and that they have access to the Internet and e-mail wherever 
they are. Providing secure services in the environment becomes in- 
creasingly important and challenging. Federal programs could help 
educate and assist consumers to understand their roles and respon- 
sibilities in a connected world. 

As recognized by the Department of Homeland Security, the Na- 
tion is dependent on the critical infrastructure of communications, 
banking and finance, power, food, health, information technology, 
and others. A disruption to any component of those affects the 
whole infrastructure. Securing against disruptions of any compo- 
nent is a best interest of all of us. 

The communication industry is also increasingly dependent on 
application and information technology vendors to ensure the prod- 
ucts they provide are of the highest quality and integrity. Software 
and hardware that does not meet industry standards or best prac- 
tices require additional efforts and expense to meet its expected 
function. Vendors that provide software or hardware with security 
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vulnerabilities that must be continually monitored, reviewed, 
patched drain on a company’s resources and a liability to compa- 
nies that must ensure the integrity of their own systems, data, and 
services. 

As a result, cyber security must become a priority in the creation 
of new information technologies. To date, security components are 
often an afterthought. I mean, you can look at cellular and Wi-fi 
when they first came out in the ability to intercept calls, clone 
phones, and data snooping where they could occur. 

Internet protocol-based services wrestle constantly with the need 
to traverse the same network paths where unscrupulous persons 
may have the ability to interfere, impede, or intrude on the service 
itself IP-based services must find new ways to protect the content 
of each packet that is carried and delivered in the shared Internet 
world. SBC is committed to work with the information industry to 
help build the next generation of Internet-based voice and video 
and data services securely. 

Mr. Chairman and Members of the Committee, your assistance 
to focus industry attention on cyber security is greatly appreciated. 
We encourage the Department of Homeland Security to continue to 
support research grants and assistance that focus on national cyber 
security, to support industry organizations and government agen- 
cies that create security standards and best practices, to continue 
to provide early warnings of security events through various gov- 
ernment agencies, and to make sure that the government-identified 
security best practices are shared with our private, critical infra- 
structure industries. 

I would like to add that you make sure that our laws carry seri- 
ous penalties for cyber security issues and that the instigators are 
prosecuted to the full extent of the law. It must become a major 
crime. It is no longer just kids playing with computers. It is a real 
threat and the attacks are serious. 

Thank you for the opportunity to appear here today. The work 
you are doing is critical to our future as a nation. Cyber terrorism 
is a real threat, and we must stay diligent. 

Thank you, Mr. Chairman. 

[The prepared statement of Mr. Geisse follows:] 

Prepared Statement of Andrew M. Geisse 

Thank you, Chairman Boehlert, Ranking Member Gordon and Members of the 
Committee. 

I am pleased to represent SBC Communications on this panel focused on cyber 
security within our nation’s critical industries. 

SBC has a long history of providing reliable communication services. SBC pro- 
vides voice and data communications services as a local exchange carrier within 
thirteen states and nationally with long distance, data and Internet services. We 
also have a national wireless presence in Cingular Wireless in a partnership with 
BellSouth. We recognize the importance of our nation’s critical communication infra- 
structure and the role it plays for the protection of the United States and its citi- 
zens. Integrity and reliability of our networks have been historic cornerstones of the 
communications industry. 

As society becomes more and more dependent on information technology, cyber se- 
curity must be a priority to protect the services provided by those same resources. 

How does the eommunieations sector depend on public and private infor- 
mation systems? 

SBC well understands the strong connection between communications security 
and information technology, or what is commonly referred to as cyber security. 
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Behind the networks that move voice and data, are many applications, private 
networks, and computing resources. These resources support the operations, admin- 
istration, maintenance, and provisioning services of our telecommunications infra- 
structure. These information systems and networks provide SBC and other carriers 
the ability to manage this complex industry supporting the dial tone and Internet 
connections that we have all come to expect as a part of our daily lives. Securing 
these cyber resources to ensure the integrity and availability of communications net- 
works is a role that SBC takes seriously, as part of its corporate culture. 

SBC uses many vendor products within its information technology infrastructure. 
In that regard, SBC is dependent on vendor product development in the private sec- 
tor and delivery of private sector services and materials to support the information 
technology services of the infrastructure. In this manner, SBC relies on vendors to 
incorporate cyber security best practices, standard interfaces, and administrative 
tools within their products. SBC is also reliant on vendors to ensure their software 
products can be patched easily to prevent existence of long-term vulnerabilities. 

In support of the private sector, SBC provides managed security services as a 
product offering. These types of services include: risk reviews and analysis, firewall 
installation and monitoring, and firewall and intrusion prevention/detection reseller 
for other vendor products. 

For the consumer space, SBC’s Internet Services organization through our rela- 
tionship with Yahoo! provides security tools to our Internet Services customers as 
part of their Internet experience. In this manner, SBC supports cyber security to 
the consumer so they can better protect their home information technologies, which 
in turn provides less problems to the shared Internet space. 

Other areas where SBC has focused on consumer cyber security is as a founding 
member of the Internet NOC Hotline, which connects key U.S. and International 
ISPs. SBC is also a founding member of the Global Infrastructure Alliance for Inter- 
net Security. 

An area where SBC would recommend government focus is on the education of 
the consumers regarding cyber security matters. End users must recognize they are 
part of the interconnected world. When end-users do not understand how virus and 
worm propagation can impact their home PCs, the result is a negative effect at the 
Internet level. This impact is caused through a variety of malicious activities, in- 
cluding, SPAM e-mails and bot-networks. Educational awareness programs should 
advise users on anti-virus protection and identity theft protection. 

What steps is SBC taking to secure its systems? 

At SBC, we implement physical and cyber security measures that protect both our 
customer-serving network facilities and our internal information services. Physical 
security measures include guard services, card key technologies, visible badge poli- 
cies, video monitoring, and, in special cases, bio-metric technologies. 

Information security begins with a cyber security policy that is part of our Cor- 
porate Code of Business Conduct. We segment our internal network connections 
from external networks using various security technologies to ensure the integrity 
of our network. We keep our internal core business networks separate from the gen- 
eral employee network. Virus protection software is deployed as standard on 
desktops and e-mail servers. Pro-active vulnerability scanning is performed con- 
stantly to identify potential areas of risk. 

SBC maintains close ties to government agencies responsible for national security. 
We work closely with them on a daily basis to receive and share security related 
information. Examples are the National Security Telecommunications Advisory 
Council (NSTAC), National Coordinating Center Telecom Information Sharing and 
Analysis Center (NCC Telecom ISAC), Infragard, and the National Security Infor- 
mation Exchange (NSIE). 

Internally, SBC has several organizations dedicated to the security of our assets. 
Organizations such as our National Security/Emergency Preparedness organization, 
our Asset Protection organization, and our Corporate Information Security organiza- 
tion, work to protect our customers information and services, our employees, and 
our internal networks and data on a daily basis. 

Our SBC Labs business unit works closely with technology vendors, academic 
communities, and government standards organizations, to partner and share infor- 
mation on new technologies. Cyber security standards are always a priority in fu- 
ture service and technology development and a focus of our internal auditing organi- 
zation as well as external security audits. 

Continued Government focus on security standards and collaborative support or- 
ganizations is seen positively by SBC. Providing research assistance, grants, and 
funds to focus the information technology industry to work towards security stand- 
ards and best practices is necessary. It is important that the Government provides 
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to the critical infrastructure industries the learnings and best practices that its 
cyber security agencies learn. 

Legislation should not always be necessary to bring industry attention to tech- 
nical priorities. However, providing research assistance, grants, and funds to focus 
the information technology industry to work towards security standards and best 
practices is necessary. 

What are the possible eonsequenees for the eommunieation seetor of dis- 
ruption or attack on information systems? 

Society in the 21st century is rapidly changing with increasing reliance on infor- 
mation technologies. Users’ expectations are that they be mobile and have instant 
access to the Internet and their e-mail. Providing secure services in this environ- 
ment becomes increasingly important and challenging. Federal programs could help 
educate and assist consumers to understand their roles and responsibilities in a con- 
nected world. 

To illustrate: Consider how often people stop for gas and use a payment card at 
the pumps for convenience. The payment card transactions must be carried effi- 
ciently, reliably, and securely across communications networks. This is to ensure the 
gas vendor, the payment card vendor, and the customer are all satisfied that the 
transaction occurred to everyone’s expectation. 

The networks, the applications, and the information systems that are necessary 
to complete transactions of this nature are part of our society on a daily basis. 
Cyber security is necessary to ensure the integrity of those transactions. Disruptions 
within the communications sector can impact these, and other, daily activities. 

Consider the impact of disrupted or unreliable communications to everyday needs, 
including how patients obtain collaborative health care between multiple providers 
and locations. Communications plays ever increasing importance to health indus- 
tries, emergency first responders, 911 services, law enforcement, banking, power, 
and other parts of our society that serve critical functions. 

With the growing use of wireless technologies, we must recognize that those wire- 
less systems still rely on an underlying physical transport, use of back-end systems 
and applications that may interconnect with other carriers. As we have recently wit- 
nessed in New Orleans and the Gulf Coast, if the supporting infrastructure is dis- 
rupted, communication fails. A cyber disruption could cause similar impacts as a 
physical disruption. 

While we recognize that other critical infrastructure industries are reliant on the 
communications industry to provide the network and communication services, we 
also recognize that we, as an industry, are reliant on those other industries. We re- 
quire industries such as electricity and gas, banking and finance, health, and gov- 
ernment, to also function securely and without disruption to ensure the integrity of 
our communications infrastructure. 

As recognized by the Department of Homeland Security, the Nation is dependent 
on the critical infrastructure of communications, banking and finance, power, food, 
health, information technology and others. A disruption to any component affects 
the whole infrastructure. Securing against disruptions to any component is in the 
best interest of all. 

In what areas are current cyher security technical solutions for the com- 
munications sector inadequate? Where is further research needed to miti- 
gate existing and emerging threats and vulnerahilities? 

The communications industry is also increasingly dependent on application and 
information technology vendors to ensure the products they provide are of the high- 
est quality and integrity. Software and hardware that does not meet industry secu- 
rity best practices and standards require additional efforts and expense to meet its 
expected function. Vendors that provide software or hardware with security 
vulnerabilities that must constantly be monitored, reviewed, and patched, are a 
drain on a company’s resources and a liability to companies that must ensure the 
integrity of their systems, data, and services. 

SBC works diligently with software vendors that provide the foundation of the in- 
formation technology infrastructure to ensure necessary software security patches 
are installed to protect our complex environment. Continued focus from the Federal 
Government on industry standards for secure information technology products is ap- 
preciated and desired. This will help to ensure that better security and quality is 
an objective of the software, network and computer hardware industries. 

NIST (National Institute of Standards and Technology) is one example of a col- 
laborative organization that has been helpful in promoting information security re- 
quirements through its various research and standards efforts. We, as a business, 
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look to leverage those standards as potential baselines in our efforts and are glad 
to see vendors meet such useful guidelines. 

How should federal agencies, such as DHS, the National Science Founda- 
tion, the National Institute of Standards and Technology, and the Defense 
Advanced Research Projects Agency, and the academic researchers work 
with industry to define priorities for and support research in these areas? 

Cyber security must become a priority in the creation of new information tech- 
nologies. To date, security components for information technologies often appeared 
to be an afterthought. Examples of this can be seen in early versions of cellular and 
Wi-Fi technologies, where calls could be intercepted, cell phones cloned, and data 
snooping could occur. 

Internet Protocol (IP) based services wrestle constantly with the need to traverse 
the same network paths where unscrupulous persons may have the ability to inter- 
fere, impede, or intrude on the service itself. IP based services must find new ways 
to protect the content of each packet that is carried and delivered in this shared 
Internet world. 

We have all seen that virus and worm attacks have risen over the past several 
years. Research focus on how to prevent the distribution of malicious content 
through virus, worms, and e-mail should be a high priority for all industries that 
use the Internet for communications and business. The ability to detect and remove 
unwanted data content and attacks as it progresses through the network is more 
desirable than expecting each end device to have the same ability to protect itself 
from its neighbors on the networks. 

Admittedly, security requirements interfere with convenience of the product or 
service offered. However, we need cyber security and software development stand- 
ards that insist new technologies embrace security as part of their evolution and de- 
velopment. In this way, society as a whole benefits through improved assurance of 
integrity, reliability, service, and subsequent reduced resource costs to support those 
services. 

SBC is committed to work with the information industry to build the next genera- 
tion of Internet-based voice, video and data communications, securely. 

What are the most eritieal responsihilities of the Department of Homeland 
Seeurity (DHS) in eyher security for the communications sector and what 
are the most urgent steps the new Assistant Secretary for Cyher Security 
and Telecommunications should take? 

Mr. Chairman and Members of the Committee, your assistance to focus industry 
attention on cyber security is greatly appreciated. We encourage the Department of 
Homeland Security to continue: 

• to support research grants and assistance that focus on National cyber secu- 
rity, 

• to support industry organizations and government agencies that create secu- 
rity standards and best practices, 

• to continue to provide early warnings of security events, through various gov- 
ernment agencies, 

• and to make sure the security best practices that various critical government 
agencies develop are shared with our critical infrastructure industries. 

I would like to add that you should make sure our laws carry serious penalties 
for cyber security issues and that the instigators are prosecuted to the full extent 
of the law. It must become a major crime. It is no longer just kids playing with com- 
puters. The attacks are serious. 

Thank you for the opportunity to appear before you today. The work you are doing 
is critical to our future as a nation. Cyber terrorism is a real threat and we must 
stay diligent. 


Biography for Andrew M. Geisse 

Andy Geisse, Chief Information Officer, is responsible for Information Technology, 
Payroll and Billing Operations for SBC Communications, Inc. and its subsidiaries. 
He was appointed to this position in October 2004 and is located in San Antonio, 
Texas. 

Andy began his telecommunications career in 1979 with Southwestern Bell Tele- 
phone Company as Assistant Manager for the comptrollers department. He then 
held a variety of information technology, sales, and strategic marketing positions for 
Southwestern Bell and SBC Communications Inc. Andy served as Executive Direc- 
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tor, Wireless Product Development for Southwestern Bell Mobile Systems and Vice 
President and General Manager for Southwestern Bell Mobile Systems’ Oklahoma 
and West Texas regions. 

In 1995, he moved to Santiago, Chile, and served as Vice President and Chief Ex- 
ecutive Officer of VTR Cellular. He later became President of the Board of 
STARTED Communications, the first nationwide cellular company in Chile. SBC 
had interests in both companies. 

In January 1998, Andy moved to New York, as President and General Manager 
of SBC’s Cellular One upstate New York subsidiary. Later that year, he became 
Vice President Enterprise and OSS Systems for SBC and its subsidiaries, located 
in San Ramon, California. In October 1999 Andy was appointed Senior Vice Presi- 
dent, Enterprise Software Solutions, responsible for corporate-wide software solu- 
tions. 

Andy grew up in Minneapolis, Minnesota, and St. Louis, Missouri. He earned a 
Bachelor’s degree in Economics and Mathematics from the University of Missouri- 
Columbia and a M.B.A. from Washington University in St. Louis. He and his wife, 
Jane, have four children. 
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Discussion 

Chairman BOEHLERT. Thank you very much, and thank all of 
you. 

You know, one of the dangers of a hearing dealing with a sen- 
sitive subject like this is that we provide fire for tabloid trash. And 
I darn sure don’t want to go to my supermarket checkout counter 
next week, and I do the grocery shopping incidentally, and read a 
headline that says, you know, “Science Committee Warns Cyber 
Katrina Imminent.” 

Now having said that, and taking that risk, using DHS’s own 
color-coding system, I would say the threat is, at a minimum, at 
best, yellow, and perhaps even orange. 

My question to all of you is do you think collectively, one, the pri- 
vate sector gets it and understands the full dimensions and impli- 
cations, and two, the government understands the full dimensions 
and potential implications? 

Let me ask each of you. Mr. Geisse? 

Mr. Geisse. Yes, Chairman Boehlert. 

I believe the private sector understands it is critical, and I also 
do believe the government does as well. 

But I think it is sometimes an afterthought in the sense that it 
is more of a technology issue and it is not only a technology issue. 
It is truly a part of our critical infrastructure and something that 
we have to be focused on as a country. 

Chairman Boehlert. Mr. Freese. 

Mr. Freese. I think both the government and the private sector 
understand the issues. I see some basic fundamental problems, 
though, in addressing these issues as a combined force. Just as I 
referred to in my comments, information sharing with DHS has got 
to be extremely frustrating for them. They ask for information on 
critical infrastructure assets. We can’t provide that, because there 
is no way that they can protect that information. It stalls the whole 
process. 

Chairman Boehlert. So it is very necessary for the government 
and the private sector to cooperate, but you don’t have the 
confidence 

Mr. Freese. Absolutely. 

Chairman Boehlert. — that the information you share, and that 
is very important information to determine vulnerability and re- 
sponse capability. You are concerned about providing that, because 
you are concerned about the security of sharing proprietary infor- 
mation — all right. 

Mr. Freese. That is correct, Mr. Chairman. 

And that has been going on for a couple of years now. 

Chairman Boehlert. Well, we are going to change it. 

Mr. Kepler. 

Mr. Kepler. Yes, I think industry has put the time into this 
thing and understands the risks-based approach. The concern I 
would have is that there is a lot of problems in cyber security and 
are we focused on getting the right solutions for the major issues 
so at the end you can work on everything and not be effective in 
anything. And I think we really have to be focused on the major, 
national impacts as a first wave of fixing things. 
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Chairman BoEHLERT. Mr. Leggate. 

Mr. Leggate. I would say, in my experience, that most boards 
get it. Most boards who run serious companies understand their de- 
pendency, in this age, on this whole digital environment. So that, 
I think, is done. 

Whether small businesses understand the services that they 
need for everyday transactions, I am not sure about that. 

On the government level, I would say in the United States, 
maybe — who understand entirely departmentally the issue. Where 
the challenge comes, I think, is to put this into practical action in 
a timely way and to then set a set of priorities become of — almost 
a national plan to do things very quickly in a focused way, not 
across a whole landscape, but just nail the big issues. And to me, 
that is where the gap is. 

Chairman BoEHLERT. Yes. And let me ask, and one of the lessons 
learned from Katrina is diffused responsibility. Everybody’s respon- 
sibility tends to be no one’s responsibility. Where would you sug- 
gest the focal point should be? I am encouraged, as I hope you are, 
that the Secretary has announced the creation of an Assistant Sec- 
retary for Cyber Security and Telecommunications. Would that be 
the focal point? I mean, there is somebody that has to be sort of 
at the center of coordinating all of these activities. You can’t have 
14 people the center of coordination, because they don’t coordinate 
amongst themselves. 

Where would you suggest that be? 

Mr. Leggate. 

Mr. Leggate. Well, I would separate the notion of coordination 
from accountability. So coordination is a fine thing to do, and done 
well is good. But where do we look for the ultimate accountability 
for the service level we get from the Internet? To whom do we look 
of that? And so I think big steps to go forward to improve coordina- 
tion, but I do think at some level we must actually break through 
into accountabilities that isn’t visible today. 

Chairman BOEHLERT. Mr. Kepler. 

Mr. Kepler. Yes. I think information technology is pervasive, so 
the idea that you would have a focused effort on cyber security, we 
think, is exactly correct. But to John Leggate’s point is that when 
you think about emergency response, you think about physical se- 
curing of critical infrastructure. Those also have Internet impacts. 
So the — you can’t separate all of these things in the Departments 
and have them link together. You have to have coordination but 
then recognition that these bodies really have to work together to 
come with — come up with common capabilities to, you know, de- 
fend, protect, and respond. 

Chairman BOEHLERT. Mr. Freese. 

Mr. Freese. I agree. I think the coordination, I think, should lie 
at that new position’s role. But again, and I may sound like a bro- 
ken record here, but if there is going to be a coordination point, 
there has to be representation, and strong representation, from the 
private sector to assist in that coordination, because I have seen 
too many times in the past, it looks like a good thing to do from 
an overall perspective, but it is not focused to where it really needs 
to be. 

Chairman BOEHLERT. Mr. Geisse. 
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Mr. Geisse. Well, I think you brought up a good point, Mr. 
Chairman. I think we have lots of agencies focused on cyber secu- 
rity, but we don’t have a single, real focal point. And maybe by the 
Department of Homeland Security setting this up, it should help do 
that. 

Chairman BoEHLERT. So I would take it that your reaction is the 
same as mine: the welcoming of the announcement by the Sec- 
retary that we are going to have a new Assistant Secretary for 
Cyber Security and Telecommunications, the sooner the better. 

Mr. Geisse. Yes, sir. 

Chairman BoEHLERT. But that is progress. We are moving in the 
right direction. 

The red light is on for me. And I have got to practice what I 
preach, so I have got to shut up and now recognize Mr. Gordon. 

Mr. Gordon. Thank you, Mr. Chairman. 

And because we do have that red light, in all due respect, I 
would like for you to try to be crisp in your answers. And let me 
tell you, I want to ask each of our industry sector representatives 
to tell me what they think about how vulnerable your sector might 
be to a serious, focused, cyber attack; what could be the con- 
sequences of that attack for your industry; and what role would 
you suggest for Homeland Security or other parts of the Federal 
Government in trying to help you develop a plan and also more 
preferably, avoid that, and then if there is something that happens, 
the recovery? 

And while you are thinking about that, let me quickly ask a 
question for Mr. Purdy. 

Mr. Purdy, I recognize you are just recently been appointed the 
Acting Director of the agency, and so all of the either omissions or, 
probably more likely, the low priority that the agency has placed 
toward cyber security over the last four years can’t be laid at your 
feet. But it seems like your testimony mostly was a litany of things 
you want to do or you are starting to do and that, really, the only 
plans are really just a framework document. This is concurred by 
the General Accounting Office, which had a report this summer 
that said the DHS has not yet developed national cyber threat and 
vulnerability assessments or government industry contingency re- 
covery plans for cyber security. And so my really simple question 
is, when do you estimate these assessments and recovery plans will 
be in place? 

Mr. Purdy. Well, attempting to comply with your request that 
we be succinct, let me say that I am proud to associate myself with 
the activity of the Department of Homeland Security since it was 
set up. I worked on the National Strategy to Secure Cyberspace on 
the White House staff and then came over to the Department to 
help set up this agency, and I have been Acting Director since Oc- 
tober of last year. 

We have made tremendous progress in building our watching 
warning capability 

Mr. Gordon. Yes, and I don’t mean to be disrespectful, but I said 
one simple question. When do you estimate that these assessments 
and recovery plans will be in place? 

Mr. Purdy. We have a couple different levels. The fundamental 
response to attacks is the ESF-2, is the communications piece. 
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which is we have a close partnership with NCS and NCSD, that 
is in place. It is operational. There is a long history of the 
communications 

Mr. Gordon. Was it in place when the General Accounting Office 
did their report this summer? 

Mr. Purdy. Yes, it was. 

Mr. Gordon. Well, they didn’t seem to think it was in place. 

Mr. Purdy. Well, reading the entire GAO report, there is a rec- 
ognition of tremendous progress we have made 

Mr. Gordon. Recently. 

Mr. Purdy. — in a number of places. 

Mr. Gordon. Right. Recently. 

Mr. Purdy. And the ESF-2 is a long-standing product of a pub- 
lic/private partnership with the private sector that has stood the 
test of time, and we are proud to be associated with that. The ac- 
tual assessment of risk is part of the National Infrastructure Pro- 
tection Plan. The base plan will be out later this year, and each 
individual sector is working on developing 

Mr. Gordon. You said the base plan. That will still just be the 
framework? 

Mr. Purdy. Yeah, the federal plan, the more detailed guidance 
of 

Mr. Gordon. But again, I just had a very simple question. When 
do you estimate these assessments and recovery plans will be in 
place? 

Mr. Purdy. There are two different elements. There is the as- 
sessment and there is recovery. 

Mr. Gordon. Okay. 

Mr. Purdy. The National Infrastructure Protection Plan is part 
of the assessment. We are also, within the Information Analysis 
and Infrastructure Protection Division, doing a risk assessment of 
cyber that is one of the priority efforts to fuse intelligence, to map 
the threat against the risk. So that is going to be ready very soon. 
The National Infrastructure Protection Plan, the risk assessment 
piece, will be early next year as to when that part of the assess- 
ment is completed. 

Mr. Gordon. Right. Thank you. I just didn’t want to take time 
from these other folks. 

Now, if you could, I would like to hear about your sectors. 

Mr. Leggate. Okay. Let me speak for that. 

I answer your question in — although it is a simple question, in 
two ways. 

The first one is today, 2005, I will take a point in time in 2007 
or 2008. So given we are still in the process of migration from pri- 
vate networks to the Internet, the consequences would be moderate 
in the near-term, because we haven’t fully migrated to the new 
way. I would suggest to you that by 2007 and 2008, this is the tip- 
ping point when most the business will run that way. And at that 
point, I would suggest, it might be catastrophic. 

Mr. Gordon. And is there a role for the United States Federal 
Government to play in helping you avoid catastrophe or to recover 
from it if it did occur? 

Mr. Leggate. I think, absolutely, going back to the Chairman’s 
remarks about setting up a new post within the Department, I 
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think the issue is to make progress and retain focus to put things 
in place in the near time frame rather than taking five or six years 
to move to a better place. 

Mr. Kepler. Yes, if you take the first point, which is what I do 
believe is a major risk or consequence here, if communications, 
both voice and the Internet, is the key vulnerability in my mind 
and risk. If communication stops, commerce stops. And if commu- 
nications isn’t there, you can’t recover. So really, looking at a major 
catastrophic failure in communications is really the real critical 
issue, in my mind, around cyber security. And so when you ap- 
proach that, what are the major risk areas for that to happen we 
will have to address, and not only recover and response, but part 
of addressing with risk is containment and mitigation. So when we 
have those risks, we do see parts of the infrastructure fail, but we 
can’t have it cascade and completely fail. So how do you contain 
those failures is something that we need to work on, and that 
needs to be collectively done between the government and industry 
to model those threats and to come up with response positions. 

Mr. Freese. From the electric sector, it measures very well with 
what he is saying. The telecommunications infrastructure and the 
electric infrastructure are very closely matched. A problem with 
telecommunications will impact the electric control systems, in 
most cases. If I look at it strictly from an electric company — or elec- 
tric sector perspective, we are vulnerable to an undetermined ex- 
tent based on the number of utilities that are in the country and 
the number — the amount of information that is shared even be- 
tween utilities is very scarce. I can say if we have network security 
in place, if we have our communications security in place, we are 
all right. But I don’t know how many of the companies are in that 
situation. I would say the government can assist with that by, as 
I mentioned, keeping the R&D programs with the Idaho National 
Lab, Pacific Northwest National Lab, Sandia in place, and working 
on cyber solutions that we need now. I mean, research and develop- 
ment for long-term solutions is great, but we have some pressing 
issues now. 

Mr. Geisse. I guess I would add, for the communications indus- 
try, it is very similar to the other industries with one exception. We 
keep our network, general purpose type network for our customers, 
independent and separate of the Internet network to try to prevent 
that sort of issue to begin with. 

And I think you also asked what do we do about it if that hap- 
pens, we have a very focused effort, something that we constantly 
test and for disaster recovery. If we have a disaster like that, how 
do we bring up a duplicate, for example, network operations center. 
We have duplication throughout our network to prevent it. 

I think the government can help in a lot of ways. One is hearings 
like this that put some focus on it are important. I think doing 
R&D and research is important. But I also think, from my own per- 
spective, there are reasons for these attacks, and you need to start 
treating them just like you are treating terrorists and other things 
and actually go after them and prevent it before it happens. 

Mr. Gordon. Thank you very much. 

Chairman BOEHLERT. Thank you very much. 

The gentleman’s time has expired. 
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And before I turn to the eloquent Mr. Akin, just let me point out 
the private sector. All of your affiliations have active lobbying ef- 
forts on Capitol Hill. And my experience with lobbyists; they are 
very valuable assets. They provide additional information to us, 
and hopefully we listen to both sides of the story, but that you have 
got to attach a higher priority to lobbying the Congress, our col- 
leagues outside this committee, who don’t really understand the 
full dimensions of this yet to, when you call on the Members, advo- 
cate for more R&D, for example, into cyber security, for better co- 
ordination, for more attention. 

And so please carry that back to your hired guns, so to speak. 
And I use that as a positive not a pejorative. But you have got to 
focus on the importance of this subject. And tomorrow’s papers will 
come out. The evening news will come out. Then this won’t even 
be mentioned anyplace, because, as I say, in most quarters it is 
greeted with a muffled yawn, and yet we know, you know in your 
sharing with us, how important this is and the potential impact it 
could have on our entire economy. 

So with that, let me turn to the always eloquent Mr. Akin. 

Mr. Akin. Thank you, Mr. Chairman. 

I will try not to be too long in my eloquence here. I just had a 
couple of quick questions. 

And let me explain where I am coming from. I am also serving 
on the Armed Services Committee, and one of the things that the 
House is doing is trying to do a complete analysis of where we are 
relative to defense and all. So my questions are more directed to- 
ward a situation where somebody, even a major nation state, might 
try to precipitate some coordinated attack in this area. 

So my first question is kind of a simple one. After September 11, 
cell phones and phones became pretty much inoperative. Was that 
because of the volume of traffic? 

Mr. Geisse. I guess I will answer that one. Congressman Akin. 

Are you talking about specifically in New York? 

Mr. Akin. Well, actually, here in DC, cell phones were useless. 
You couldn’t get a call or anything. 

Mr. Geisse. I am not familiar with that, but my guess I mean, 
the reality is of how those networks are designed, there is a limited 
amount of frequency that you get from the Federal Government for 
those networks, and as a result, a limited number of calls you can 
do at any one time. And I imagine the call volumes were way high 
that day. 

Mr. Akin. So consequently, that would jam everything up? 

Mr. Geisse. Well, I am sure there is a certain amount of calls 
that would get through. But one of the things that we do that you 
may not be aware of is for the Federal Government, in an emer- 
gency like that, we reserve a certain amount of the network for 
them, from a priority perspective for calls. 

Mr. Akin. Okay. Now let us say that we are talking about more 
this organized sort of attack type of situation. First of all, just sim- 
ply how vulnerable are we? And second of all, what are some of the 
first things that you would do to try to protect against that? 

Mr. Geisse. As part of the co-chairs of the National Cyber Re- 
sponse Coordination Group in Department of Defense, and their 
representatives include those from the Office of the Secretary and 
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the Joint Task Force on Global Network Operations, we have been 
doing tabletop exercises among the membership at the National 
Defense University to make sure we have the communication paths 
and processes in place to make sure we have a coordinated govern- 
ment response to such attacks. 

Mr. Akin. Anybody else want to take a shot at that? 

Mr. Kepler. I would just say that when you get prepared for the 
scenario you are talking about, you have to worry about diversity 
before you start, so we would look at cell phones, land lines, pri- 
ority lines, multiple carriers, Internet communications, so the 
whole concept, I think in this environment, is diversity so you can 
respond over whatever happens to be up at the time. That is the 
key point in my mind. 

Mr. Akin. So you are saying have enough backup kinds of sys- 
tems that are going different ways that you could run things a dif- 
ferent direction? 

Mr. Kepler. It is hard in scenario planning to target an exact 
backup. That is why I think diversification of different types of 
routing, circuitry, different methods, whether that is satellite or 
whatever, are pretty key, because then you would have to take out 
different types of infrastructure, which is a challenge. 

Mr. Geisse. I would like to add one thing. Congressman Akin. 

I know of at least one situation that is public, it was in the pri- 
vate sector, where a cyber attack was used specifically to gather in- 
formation from a competitor, so they put out a virus that basically 
the company didn’t even know was there, collected data, trans- 
mitted it back. And so I think that type of attack that you bring 
up is very possible, and I think part of it is we have to start getting 
proactive. We can’t keep sitting back and preventing after we see 
the worm, after we see the virus. We have to start getting and cre- 
ating technologies that go out and prevent it before it ever hap- 
pens. 

Mr. Akin. Right. So now some of what we have got is going to 
be software-related types of attacks. Some are going to be just sim- 
ple hardware things like, you know, an electromagnetic pulse or 
something that is just simply blowing up a communications hub or 
something, right? And so what you are saying is a diversity of ways 
of moving information is probably your best — and you are saying 
that we are making some progress in that regard or that we still 
have — what is your — what would you say would be our level of vul- 
nerability? Could you just hit the system in a couple of places and 
shut the country down or would it be pretty hard to just pick sev- 
eral things to do? 

Mr. Freese. From the communications perspective, as it applies 
to electricity, you could shut down various areas and regions. I 
don’t think you could shut down the entire country. That is a — that 
is kind of a misconception. You could take out a significant region 
of power and communications, however. 

Mr. Akin. From an electric grid point of view? 

Mr. Freese. From an electric and a communications point of 
view. 

Mr. Akin. Yeah. 
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Mr. Freese. I don’t think you would have an entire country 
down from a telecommunications perspective from a localized at- 
tack against a certain region. 

Mr. Akin. Again 

Mr. Gordon. Would the gentleman yield? Ask him how long. He 
is going to be down for how long? 

Mr. Akin. Go ahead. Yeah. 

Mr. Gordon. If you would. I mean, you say we would be down, 
but for what period of time? 

Mr. Freese. Well, that depends on a lot of different things. It de- 
pends on what you have for backup communications. 

Mr. Gordon. Are we talking minutes, hours, or days, or weeks? 

Mr. Freese. I would say, in some cases, hours, some cases, days. 
He would be better to tell you how long it would take telecommuni- 
cations to come back up. 

Mr. Akin. Yes. You can go ahead and respond. 

Mr. Gordon. Thank you. 

Mr. Geisse. Yes, sir. 

From a communications perspective on a cyber attack, the way 
we do our networks, it wouldn’t affect the communications network 
itself, because we keep it independent. But what it does impact is 
the systems we use to monitor it, to provision it, to make sure that 
we can keep the network up. And that is why it is still extremely 
critical. And I think that Mr. Leggate made a point earlier on that 
as the future goes on, and more and more things run on the Inter- 
net itself, we more and more vulnerable versus the separate net- 
works that we have today. 

Mr. Akin. So to some degree, the lack of sophistication, if you 
will, or the duplication, is giving us a lot more protection than we 
would have in the future? That is a point several of you have made 
then. 

Yes. Well, I think my time has expired, and I don’t want to be 
excessively eloquent, so 

Chairman BOEHLERT. Well, all right. Fine. We will permit you to 
be excessively eloquent. 

But Mr. Purdy, you had your hand up. 

Mr. Purdy. Yes. I just wanted to mention that in a major situa- 
tion, we have the critical infrastructure warning information net- 
work that is a survivable network connecting our Department with 
various critical sectors in the country, including electricity, infor- 
mation technology, and telecommunications. State Homeland Secu- 
rity Advisors, sector-specific agencies, and resources in each critical 
infrastructure, and we are building out that network to greater 
connectivity over time. 

Chairman BoEHLERT. When the warning is issued, hopefully the 
message is not only heard but heeded. I would point out that one 
of the agencies under the jurisdiction of this committee is NOAA, 
which is the parent agency for the National Weather Service, and 
if you are looking for bright lights in the aftermath of Katrina, one 
of the bright lights is that the National Weather Service, on five 
o’clock, on the Friday preceding the Monday morning when Katrina 
actually hit land, the National Weather Service put out an alert, 
a weather alert that a category four or five hurricane was due to 
hit within 72 hours. That went to every emergency responder. 
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every state capitol, every major city, but some people didn’t pay 
much attention. 

Mr. Honda. 

Mr. Honda. Thank you, Mr. Chairman, and I appreciate this op- 
portunity. 

There are two arenas I would like to just bring up, and it has 
been touched upon a little bit. But one is, I represent Silicon Val- 
ley, and in our valley, we house the backup data and even the pri- 
mary data of many businesses. Perhaps some of yours are housed 
there. And maintaining both the integrity of and the appropriate 
access to this data is essential for normal operations. But in the 
event of not only a cyber attack, you have made some comments 
in that arena and physical attack, but coupled physical and cyber. 
I am not sure that that was discussed very fully. And also a re- 
sponse on how we would be responding to a natural disaster. And 
I bring that up, because my valley is situated between the San 
Andreas Fault and the Hayward Fault. And I am not sure that 
that kind of an incident or occurrence has been thought of. And 
given Katrina, I think that natural disasters we found that some- 
times it creates a lot of unintended consequences that we have to 
anticipate. 

The other question is the information sharing and exchange, that 
has always been something I have been concerned about since 9/11. 
And in terms of cyber security and information exchange, where 
are we in the Department of Homeland Security in that effort? And 
I would like to know what the private sector feels that we are, and 
what grade would you give the Department of Homeland Security 
at this point in time? And then I suspect that we are going to have 
a new Assistant Secretary of Cyber Security. What advice would 
you give that person at this point in time relative to information 
sharing? 

Thank you, Mr. Chairman. 

Mr. Kepler. Let me try to answer maybe a couple from my view. 

The one point you made, if you think of weather systems, we are 
getting a lot better at modeling hurricanes. If you think of earth- 
quakes, we are getting better, but not nearly to the sophistication. 
To other external threats, we don’t have the same type of modeling 
and predictive capabilities. So part of the response is getting that 
predictive capability. So we really need to think about that as we 
go forward and look at strengthening that. That is one of my 

Mr. Honda. Does our — do we have a redundant system that will 
accommodate all of those three areas? 

Mr. Kepler. Well, there are just a couple of areas we are talking 
about. One is the prediction so you can become better prepared in 
stages. You go closer like you would. Another activity is to have di- 
versification of your infrastructure and recovery protocols, so most 
major companies are positioned to have recovery plans, crisis man- 
agement plans in place. We have corporate crisis management 
plans since the late ’80s. When 9/11 occurred, we actually invoked 
that. We weren’t majorly impacted, to one of the other points ear- 
lier, some of the small businesses and structures that may not have 
that level of sophistication. 

I think it is also a challenge in terms of information sharing, 
which is critical in protecting and responding. The private sector 



67 


is bound between antitrust laws and Freedom of Information issues 
and sharing information. That, to me, is a critical issue that we 
still need to balance on. So while you are trying to address this 
thing, we can actually be non-compliant with other laws. So how 
we really focus on that information sharing is really a critical as- 
pect of it. 

Mr. Honda. Thank you. 

Mr. Freese. I would like to add something about the natural dis- 
asters response you were talking about. 

Even during Katrina, there was some extensive physical damage 
to the electric infrastructure, to the communications infrastructure, 
and several others. Okay. And that is going to happen regardless 
of what type of natural disaster you have got. So what your main 
concern is, at that point, is making sure that those problems don’t 
cascade outside of the immediately affected area. And I think it 
was true testimony to everybody’s professionalism down there that 
the electric sector maintained power around the area. There were 
no cascading failures. Communications was set up via the Internet 
and temporary communications, so there are ways to do this. But 
I don’t see a really good way around the physical damage, physical 
destruction of the infrastructure. That is very difficult to have a 
backup to outside of the affected area. 

Mr. Honda. And in the affected area, was there a replacement 
system that took place of the current power, no pun intended, not 
electrical power, because people were afraid 

Mr. Freese. No. 

Mr. Honda. — of electrocution? 

Mr. Freese. No, there was not. There were substations that were 
damaged and put out of service. There were lines down. That type 
of physical damage just takes time to repair. Now there are ways 
of bringing temporary transformers in, those types of — getting the 
lines back up, temporary lines run, but that, of course, takes time 
and effort and significant funding. 

Mr. Honda. Would wireless and satellite connections replace that 
loss of 

Mr. Freese. From the communications perspective, yes. 

Mr. Geisse. Yes. For example, in Hurricane Katrina, one of the 
first things we did is send down — we call them “cellular on wheels.” 
They are basically cell sites that are built into a truck. We sent 
over 300 of those down there immediately for — so that we could set 
up cellular service in Katrina. 

Mr. Honda. Was that private sector strategy or was that 
something 

Mr. Geisse. Private sector strategy. 

Mr. Honda. And is that something that we should look at in 
terms of the government’s side? 

Mr. Geisse. Well, I guess here is my answer because I think your 
question is, as I understand, and it is well founded. I mean, you 
know, we have had many disasters in California from the fires 
down in LA to the mudslides to our own issues with flooding and 
weather. And we have response units within our company to go out 
and handle those types of situations so that we can get service up 
and repaired as quickly as possible. And it is not as simple as just 
dropping in a second system, because really, in many cases, like. 
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for example, the fires down there, we had burned up wires that we 
had to go in and replace and put up and running and working. I 
think what the government can help on this, and I think it has 
been brought up here several times, is start focusing this as a 
major issue and that we are all prepared, as different industries, 
to work together in a real disaster. 

Mr. Freese. If I may just finish up with one thing about the in- 
formation exchange in DHS. As I mentioned earlier, that has been 
a problem for the last few years, and I am not sure that I under- 
stand exactly why, because DHS has a PCII program developed 
and in place. This was essentially going to let private industry 
present information to the government that would be protected and 
would not be disclosed without the private industry’s permission. 
I am not sure where that stands right now. If Mr. Purdy could give 
me an update on that program, I would appreciate it. 

Chairman BOEHLERT. Mr. Purdy, and then we will go. Mr. 
Honda’s time is expired. We are generous. 

Mr. Purdy. Yes, the PCII program, which has been operating 
under an interim rule since the time it went into effect, will be sub- 
ject to a final rule. It is under current consideration by the DHS 
General Counsel, Phil Perry. We expect that revised rule to come 
out momentarily. But in the meantime, we are trying to facilitate 
information sharing, building on some key legacy organizations, 
such as the NCC ISACs, the NCC generally, but we have leveraged 
the source of information across the federal agencies, so we get bet- 
ter information now, and now we can share it. Plus, we have en- 
hanced the information we get from the intelligence and the law 
enforcement folks, and we can put out targeted bulletins to the 
technical or non-technical sector, to government or the private sec- 
tor, that we don’t associate with the source of the information. So 
we can get sensitive law enforcement-sensitive information, classi- 
fied information that we can turn into actionable guidance. In addi- 
tion, we are building a North American Incident Response Group 
of private sector folks. We met last week in Silicon Valley with a 
number of companies out there. We have a meeting that is ongoing 
right now in Arlington with a number of companies. We are trying 
to build that capaWlity. The ISACs, we met with the ISAC council 
with the Assistant Secretary earlier this week. The sharing of in- 
formation with the ISACs is a fundamentally important thing. 

In addition, there has been a robust sharing among ISACs that 
is centered by the IT ISAC. We have our US-CERT secure portal 
that has 2,000 private and governmental folks involved in sharing 
information in a secure environment. We are going to tie in that 
IT ISAC information sharing, because we believe it is a combina- 
tion of building trust, giving value, because we have a major pri- 
vate sector retreat next week that the private sector is hosting. We 
want to share what we know, what of that do they want, and let 
us accelerate the mechanisms for getting that information. Because 
folks, if they go to the effort or decide whether to go to the effort 
to share information, it is important to protect it, but it is also im- 
portant for them to think somebody cares about it, somebody uses 
it, and we provide value back to the private sector. And we are 
committed to do that. 

Chairman BoEHLERT. Thank you very much, Mr. Purdy. 
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The Chair recognizes Dr. Bartlett. 

Mr. Bartlett. Thank you very much. 

Mr. Leggate, in your written testimony, you note that businesses 
and governments can plan for expected failures. But even the best 
prepared organizations and corporations may be woefully inad- 
equate in responding to complex, low-probability, high-impact fail- 
ures. If a large-scale Internet outage or significant reduction in per- 
formance would occur, the unexpected effects on whole sets of in- 
dustries, utilities, and enterprise could have surprisingly large eco- 
nomic and social impacts. For the few moments that we have, I 
would like to engage you in a discussion of the ultimate low-prob- 
ability, high-impact failure, and that is a nuclear EMP attack on 
our country. 

For several years, I have been concerned with this, and I got leg- 
islation about three years ago to set up an EMP Commission which 
acted for two years, chaired by Dr. Bill Graham, Rumsfeld’s deputy 
in his emerging ballistic missile threat commission. They have now 
issued their report. Senator John Kyi has, in the last few weeks, 
had a piece in the Washington Post reflecting his concern for this. 
Newt Gingrich and his colleague. Bill Forstchen, have written a 
fascinating novel, which will be out next summer. I encourage you 
to read that. It is called “One Second After.” They have done very 
good research. It is quite accurate. Because even the level of con- 
cern may be classified, I will only tell you that within the Pentagon 
now, there is a growing concern for a nuclear EMP attack. 

The Russian generals can tell us things that I maybe cannot tell 
you, because they would be classified, but the Russian generals tell 
us that they have developed a nuclear EMP weapon that will 
produce 200 kilovolts per meter, that a large weapon detonated 300 
miles high over the center of our country, Iowa or Nebraska, would 
blanket the whole country, and at its margins, would be 100 kilo- 
volts per meter. The Russian generals tell us that the 200 kilovolts 
per meter is several times the level to which we tested. I cannot 
tell you to which we tested. I think that is classified, but the Rus- 
sian generals say that that is several times the level to which we 
tested. And at the margins, it is probably a couple of times to the 
level at which we tested. 

My question is what are we doing to prepare for an EMP attack? 
The Commission, by the way, noted that this is one of a few inci- 
dents that could, you know, and I am going to put their caution in 
the common vernacular, it could end life as we know it. What prep- 
arations are we making for this low-probability, high-impact prob- 
ability? 

And I would like to ask Mr. Freese, if a failure of the power sys- 
tems resulted in the loss of our major transformers, how long 
would it take to get a new one, and where would you go to get a 
new one? 

Mr. Freese. Okay. We have multiple sizes of transformers. Some 
of them are readily available in spare parts. 

Mr. Bartlett. But isn’t it true, sir, that the larger ones that we 
don’t even make in this country 

Mr. Freese. Yes, sir. I 

Mr. Bartlett. — it would take you maybe 18 months to get 
one 
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Mr. Freese. Yes, sir. 

Mr. Bartlett. — ordered from overseas? 

Mr. Freese. I was going to mention that at the 

Mr. Bartlett. That is correct? 

Mr. Freese. There are some major transformers that are not 
made in this country, made in Europe and in Asia, and it would 
take up to 18 months to get one sent over to the United States. 
That is one at costs of several million dollars. And we, frankly, 
don’t have a lot of those spare parts laying around. 

Mr. Bartlett. But you do have a few spare transformers? 

Mr. Freese. Yes. 

Mr. Bartlett. They are in the field? 

Mr. Freese. Yes. 

Mr. Bartlett. They are beside the transformer that if it went 
out, you couldn’t serve your customers. But an EMP attack would 
take out both of them, would it not? 

Mr. Freese. Yes, sir, it would. 

Mr. Bartlett. I hope that my colleague. Dr. Ehlers, has an op- 
portunity to pursue this, because already our yellow light is on. 

But I want to ask each of you the level of concern in your dis- 
cipline about EMP attack and what you are doing. 

Let me start with Mr. Purdy. What is your level of concern, sir, 
and what are you doing about it? 

Mr. Purdy. Well, this issue is concerned in the larger context of 
the full potential threats to the telecommunications infrastructure. 
The Department of Homeland Security is working with the Depart- 
ment of Defense and Central Intelligence Agency to ongoing assess 
the developments of the kinds of technology you are talking about 
to consider the full range of these kinds of threats against various 
sectors, including the use of EMP and telecommunications electro- 
magnetic disruptive effects. 

Mr. Bartlett. Sir, when will you, because our time is very short, 
when will you be able to tell us of our level of vulnerability and 
your recommendations for what we do about it? Just tell us when 
you will be able to tell us that. 

Mr. Purdy. Well, we already made recommendations and mitiga- 
tive measures have been taken to enhance the equipment providing 
greater protection in the event of an EMP threat. 

Mr. Bartlett. My red light is on. Let me just make one observa- 
tion and ask if this is not correct. 

We have SCADA systems and we have computers embedded in 
those, and it is my understanding that we may not even know who 
made those computers. And if we know, they may no longer be 
available, there are so many of those that it would be impossible 
to harden them, and that unless we are going to replace all of those 
SCADA systems, we are going to remain vulnerable to a pretty 
broad scale shutdown of our infrastructure in the event of an EMP 
attack. That is correct? 

Mr. Freese. Well, sir, I mentioned it earlier that our electric in- 
frastructure is made up of a lot of legacy systems that don’t sup- 
port new technological security protections and it will take, prob- 
ably, a new generation of infrastructure to completely eradicate 
those from the system. Right now, we are working with obsolete 
equipment in a lot of cases. 
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Mr. Bartlett. I know my red light is on, Mr. Chairman. I just 
want to note that although not one in 100 of our citizens may know 
about nuclear EMP attack, I will assure you, sir, that every one of 
our potential enemies knows all about it, and it is in their open lit- 
erature. 

Thank you very much. 

Mr. Akin. [Presiding] Thank you, Mr. Bartlett. 

Mr. Miller. 

Mr. Miller. Thank you, Mr. Chairman. 

The 9/11 Commission said that private sector preparedness for 
terrorism attack now must be regarded as part of the cost of doing 
business, certainly for critical industries and any kind of critical in- 
frastructure. And you can no longer — no industry that is part of 
our critical infrastructure can ever claim again that a nuclear — 
that a, excuse me, terrorist attack is not foreseeable. It must be 
foreseeable. Do all of you agree with that? 

Yes, sir. 

Mr. Leggate. I would say the point you come to is the range of 
scenarios that companies use to do their testing of their systems 
that, in a sense, prior to 9/11, we wouldn’t have conceived 

Mr. Miller. Right. 

Mr. Leggate. — events of this kind. But what we have to do is 
learn from 9/11, learn from the tsunami 

Mr. Miller. Right. 

Mr. Leggate. — New Orleans, and also from the bombing in Lon- 
don, for example, which we have been involved in managing. So 
each one creates a new set of situations, and then companies, and 
I would make a plug for this, really have to really run these sce- 
narios hard and find out, I would call it the disconnected pieces, 
the things that you wouldn’t have predicted that show up. And it 
also applies at the national level as well. So there is enormous 
value in running these scenarios. Then to find out the things that 
do fail well ahead of time. 

And number two, prepare your management teams, either at the 
country level or the corporate level, to respond effectively during 
difficult situations. 

Mr. Miller. Okay. Yes, I agree with you. You can’t just respond 
to the things that have already happened. Be prepared for things 
that we know can happen, because they have happened. We really 
do need smart people lying awake at three o’clock in the morning 
trying to figure out what could happen next and how to be pre- 
pared for that. 

The 9/11 Commission also said that we needed to develop stand- 
ards for preparedness in the private sector that does provide for 
business continuity and mitigation, redundancy, and that those 
kind of commonly understood standards, they praised the stand- 
ards developed by the American National Standards Institute, 
ANSI, should become the standard of care for purposes of legal li- 
ability. Is there anything like that in the cyber field? Is there any 
kind of standard of care that is the industry standard that is well 
understood this is what you do to be prepared against a cyber at- 
tack? 

Yes, sir. 
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Mr. Freese. Yes, sir. In the electric sector, we have the North 
American Electric Reliability Council, twelve hundred cyber secu- 
rity standards. These have been in place for almost two years, and 
they provide a very, very solid best practices approach to securing 
critical security systems and other critical systems against cyber 
attack. It extends into business continuity, disaster recovery, per- 
sonnel issues, background checks, network security, transmission 
security, and communications security. So these are in place right 
now. 

Mr. Miller. Okay. And Mr. Purdy, does the Homeland Security 
Department embrace the finding of the 9/11 Commission that there 
should be legal liability for the failure to prepare up to the stand- 
ard of care in industry? 

Mr. Purdy. We have not taken a position on whether there 
should be liability in that instance. What we are finding is that the 
interpretation of the Sarbanes-Oxley statute, requiring that the 
CEOs and Boards of Directors exercise due care in their risk miti- 
gation processes has led the CEOs to fashion their risk mitigation 
strategies based on best practices. NIST provides very substantial 
guidance on best practices for information systems. The FISMA 
standards for federal systems provides similar guidance, and we 
are working with NIST on additional guidance along those areas. 

Mr. Miller. Okay. The usual legal liability is for the damages 
that would be foreseeable from a failure to abide by the legal 
standard of care. Mr. Freese, for instance, in the energy area in the 
electric grid, what would be the foreseeable loss from a cyber terror 
attack that was foreseeable, should have been foreseeable, and that 
the failure to abide by industry standards had led to it? 

Mr. Freese. Please rephrase the question for me. 

Mr. Miller. Okay. I will admit that was a little garbled. I will 
try that again. 

What is a foreseeable loss, not just to a power company, but from 
all of those who do business with it who depend upon it for their 
power from a cyber security attack? 

Mr. Freese. Well, it is going to be very significant. From the 
electric sector, it is one of the primary critical infrastructures in 
the country. There is virtually nothing that doesn’t use electricity. 
Businesses, the military, everything uses electricity. If you have a 
major cyber attack that takes out an entire region of the country, 
everyone is going to be impacted within that region. I mean, there 
is — there are some backup generators. There are backup power 
supplies, but essentially, a lot of companies are going to take major 
losses, financial losses, if there is a major outage that lasts any pe- 
riod of time. 

Mr. Akin. The gentleman’s time has expired. 

Mrs. Biggert. 

Ms. Biggert. Thank you, Mr. Chairman. 

Mr. Kepler and Mr. Freese, you both mentioned your work with 
the National Laboratories on your critical infrastructure protection 
efforts. Could you give us a little more detail about your work with 
the Labs? And have they been helpful? 

Mr. Kepler. Yes, I would be happy to do that. 

To link the two discussions up here, from an American Chem- 
istry Council point of view, we have a concept called “Responsible 
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Care” that we expect our members to subscribe to. In that is a cer- 
tain set of management practices of how you approach all aspects 
of stewardship in your industry, including security. And in that is 
embedded cyber security. With that, these are management prac- 
tices, and you need to establish standards of how you do that in 
compliance. You don’t want to subscribe to exact solutions, because 
this is such a dynamic area. So we have worked with organizations 
that have been outlined, as well as international standards organi- 
zations, and tried to build those in. For example, in plant vulner- 
ability, assessments and design is a great example. Just the cor- 
porate management systems for how you put in place corporate 
governance of security, including cyber security as well. 

Ms. Biggert. Mr. Freese. 

Mr. Freese. We have worked significantly with the Idaho Na- 
tional Lab and Pacific Northwest National Lab on SCADA, specifi- 
cally. We are looking at encryption technologies, encryption of con- 
trol signals to prevent interception or injection. We are looking at 
secure authentication. And this is, again, this is trying to secure 
the current systems we have now prior to any long-term R&D com- 
ing into fruition. There is a SCADA testbed at the Idaho National 
Lab that is extremely valuable. It can be used to solve a lot of prob- 
lems with information security, especially if it is coordinated with 
the — they also have an energy infrastructure set up at Idaho Na- 
tional Lab that has got end-to-end — well, for an example of infra- 
structure for telecommunications and electricity, you can do end-to- 
end testing, and you don’t have to bother with piece meal solutions. 
You can go and do an entire range of trial and error. And I think 
those programs are extremely valuable, and they are not made 
enough use of right now. And I think we should expand the use of 
those, particularly in the SCADA testbed. There is a lot of equip- 
ment that is used commonly by many, many companies, and those 
would apply particularly well to that particular test environment. 

Ms. Biggert. Thank you. 

And Mr. Purdy, you know, the Labs do have expertise in both 
computers and the networks and the critical infrastructure protec- 
tions. To what extent is your Division working with the National 
Labs and the U.S. research universities? 

Mr. Purdy. One of the highest priority programs for NCSD is our 
Control Systems Security Program. We funded it at over $11 mil- 
lion in 2005, and the President’s budget proposes over $15 million 
in 2006. At the heart of that is our work with the Idaho National 
Lab and the partnership with the other Labs and partnership with 
the Department of Energy on their area of responsibility, and the 
Science and Technology Directorate. So that is a hugely significant 
area that we are working in close partnership, not only with the 
Labs, but the key private sector folks. We helped form, for example, 
the Process Control Systems Forum, which is made up of hundreds 
of owners and operators. In addition, NIST has an Advisory Group 
of owners and operators. We are working with DOE to build the 
network of the control systems owners and operators so that we get 
the shared information on attacks and failures and that we can 
have a continuous loop, but it has R&D aspects, incident response 
aspects, and there are short- and long-term benefits to this pro- 
gram. 
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Ms. Biggert. Thank you. 

And then time for one more question to Mr. Freese again. 

One aspect of cyher security is making sure that the Internet and 
other information networks are up and running. And isn’t elec- 
tricity critical to keeping the information networks, like the Inter- 
net, operational? So if so, then cyber security is critical to your core 
business of ener^ production and distribution. But your core busi- 
ness also is critical to the cyber security of other sectors of the 
economy and the Nation as a whole. Is the energy sector giving 
equal attention to cyber security and the protection of critical en- 
ergy infrastructure? Is one more important than the other or are 
they the same? It seems like we have got the chicken and the egg, 
which is going to be 

Mr. Freese. Yeah, it is kind of a chicken and the egg situation. 
But I believe sincerely that the energy sector is extremely aware 
of their responsibilities to the rest of the country to provide com- 
munications, the Internet, all of those things. We are — we have 
formed major industry groups to look at security within the indus- 
try itself across the sector, physical and cyber security, physical 
primarily to protect the cyber assets. And we take that very seri- 
ously. And we understand that there are these interdependencies 
that we are a primary part of in a lot of areas in a lot of critical 
infrastructure sectors. 

Ms. Biggert. Okay. Thank you. 

My time has expired. 

Mr. Akin. Ms. Johnson. 

Ms. Johnson. Thank you very much, Mr. Chairman. 

I ask unanimous consent to submit my entire statement to the 
record and welcome this esteemed panel. And let me apologize for 
having to 

Mr. Akin. Without objection, that will be entered in the record. 

Ms. Johnson. Thank you. 

I apologize for having to dash out and come back. 

And Mr. Geisse, welcome. I know two of your colleagues, John 
Mumford, whom I served in the Texas Senate with on the Finance 
Committee, and Mr. Whitacre that I have known for 20 some 
years. So welcome to this committee. 

I have some questions that I am asking anyone to answer. And 
maybe you have already answered, and if you have, just tell me, 
and I apologize for asking again. 

But what is known about the vulnerabilities of different sectors 
of the economy that rely on networked information systems, and to 
what extent can the seriousness of the threat be quantified or 
prioritized? 

Go ahead. 

Mr. Purdy. The National Infrastructure Advisory Council, a 
Presidential Advisory Group, made up of private sector individuals, 
has done an assessment of the risk and threat to the different crit- 
ical infrastructure sectors and the dependency of those sectors on 
each other. That is not available for public dissemination. We are 
using that as part of our process of identifying the cyber risk as- 
sessment as part of our fusion of the intelligence vulnerability and 
consequences information and in our work on developing scenarios 
that I talked about in my testimony so that we can understand 
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what is necessary to mitigate the possibility of those vulnerabilities 
being exploited, how are we going to respond to those, and how are 
we going to reconstitute. And we look forward to that being a 
strong public/private partnership. 

Ms. Johnson. Thank you. 

Anyone else? 

Thank you very much. 

Is the government sponsoring enough R&D in an effort to aid the 
public sector with cyber security? 

Yes. 

Mr. Purdy. Let me answer the question this way. 

The Federal Government, under HSPD-7, has coordinated, under 
the leadership of the Office of Science and Technology Policy, the 
President’s Science Advisor, and the Science and Technology Direc- 
torate. They will be issuing a national cyber R&D plan in the very 
near future which will serve the benefit of scoping out what needs 
to be done. They also had an interagency group to identify and 
track what is happening and what needs to be happening in cyber 
security. It is my hope that as the articulation of what needs to be 
done and the specific requirements are laid out, then those who 
feel that the priorities aren’t the right priorities or feel that the re- 
sources aren’t the right ones, then, perhaps, can suggest where the 
extra emphasis and resources need to be placed. 

Ms. Johnson. Do I have a little bit more time for another ques- 
tion? I guess 

Mr. Akin. The gentlelady does have a minute and 43 seconds. 

Ms. Johnson. Okay. Thank you. 

There are two aspects of cyber security that I have concern 
about, because of my constituency and because of Homeland Secu- 
rity. One is that I have not met a person who is not suspicious of 
all of their business being available through the networks. And I 
would like some comment on that on just how secure that is, and 
two, for terrorist attacks. 

So I invite anyone to comment to see what we need to do or what 
is the risk or what is real and what is imagined. 

Mr. Kepler. On the second part, I think when you look at the 
access to terrorism, this is a critical issue in terms of the amount 
of information we want to provide in this country versus how that 
information could be used against us. And certainly, I mean, that 
is one of the public policy things that needs to be addressed. What 
we want to do is be able to have an open environment between the 
right people to make sure we can assess threat. The challenge is 
once you start to look at those vulnerabilities and make them pub- 
lic, they provide information to our enemies as well. And the chal- 
lenge we have is some things that may not be related to terrorism 
directly can be used as information to create attacks. And I think 
we have to spend a lot of time on public policy and on research to 
figure out how to segment those two issues and keep them bal- 
anced. 

Ms. Johnson. Are you doing any kind of PR to allay the fears 
of Americans who think that telephone companies and everybody 
else snoop into their business by computer and Internet? 

Mr. Geisse. Telephone companies snooping? 
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Ms. Johnson. Anything wired, people think they can listen to 
their conversations, get into their private business, look at where 
they shop, all of that. 

Mr. Geisse. Well, I think, you know, I will answer your question 
in that your concern about terrorist attack, your concern about in- 
formation being available on the Internet are real issues, and they 
are issues that industry has to constantly be looking at to protect 
our customers’ information, which, for example, we do in the phone 
company religiously. I mean, we take it very, very serious, our cus- 
tomer information and protecting it, and are constantly looking for 
ways to prevent attacks on that information. 

Ms. Johnson. Thank you. 

Would anybody else like to comment or do you think you are 
saved by the bell? 

Mr. Akin. The gentlelady’s 

Ms. Johnson. My time is up. 

Mr. Akin. — time is 

Ms. Johnson. Thank you very much. 

Mr. Akin. — expired, and we have a vote on the House Floor, but 
if Dr. Ehlers can go quickly, we can get that in, I think. 

Mr. Ehlers. I thank you, Mr. Chairman. 

I will try to be pretty rapid. 

First of all, to respond to my colleague who just asked the ques- 
tion about telephone companies snooping. I grew up in southwest 
Minnesota, a very small town, hand crank telephone on the wall, 
a switchboard sitting downtown with an operator, and I can tell 
you, she knew more about the business of everyone in the town 
than anyone else did. So I suspect there is considerably less snoop- 
ing by telephone companies by electronics than there was back 
then. But it is certainly a worthwhile question to ask. 

I would like to, first of all, just sitting here trying to put this all 
in perspective, it seems to me that most of the discussion has been 
about cyber security in the sense of software, and that is, of course, 
a major concern. It is a concern both in terms of industrial espio- 
nage, as it is called, certainly a concern in terms of national secu- 
rity. But then there is also the hardware factor, which was brought 
up by my colleague from Maryland. And since we are both sci- 
entists, maybe we have good reason for both worrying about the 
same thing, namely the hardware security. 

We have known about nuclear EMP for a long time. And I hap- 
pen to be a nuclear physicist and worked at Livermore for one sum- 
mer, years ago. And I never worried that much about it, because, 
frankly, I thought mutually assured destruction was pretty clear 
policy in that there is no benefit in any country to set off a nuclear 
weapon far above another country knowing that they, in turn, 
would have their systems destroyed. I do woriy about it much, 
much more now, and I think Dr. Bartlett’s fear is well founded in 
the sense that if you don’t have a country that can be 
counterattacked, and if your goal is to disable your opponent as 
much as possible and to cause grief and pain and terror, the EMP 
is a very good way to do it, if you can manage to get the weapon 
and the launch vehicle. And I think it is something we have to take 
very seriously. Mr. Ereese, I think you were a little optimistic in 
saying it would only affect certain areas of the country, but it de- 
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pends, again, on the size of the weapon. We are not hardening our 
equipment. 

And I was struck by a phrase that Mr. Kepler offered earlier that 
when communication stops, commerce stops. And I would even ex- 
tend that beyond that. When commerce stops, then life is endan- 
gered and perhaps life stops, because with the proliferation, and I 
have been worrying about this for about 10 years now. I never wor- 
ried about it too much until the proliferation of the Internet, but 
today, so much commerce is done over the Internet. But also, the 
proliferation of microprocessors and automobiles and everywhere 
else. And an EMP would not only affect communications but also 
transportation. How many of us would be able to drive our car 
after an EMP had wiped out the processors? And there are some 
250, typically, microprocessors in the average American automobile 
today. How would trucks be able to deliver a product? How would 
people get food and water? I mean, this is really a doomsday sce- 
nario. 

And Mr. Purdy, I hope that you and others are worrying a great 
deal about this, because what we really need in place is an infra- 
structure that, at least in an emergency basis, would replace the 
infrastructure that we are becoming so dependent on through our 
use of microprocessors, Internet, and so forth. 

And I would like to give any of you time to react to my com- 
ments. Maybe I am off base, and if so, I would like to hear that. 
But if you could, briefly make a comment. 

Mr. Kepler. 

Mr. Kepler. Yes, Congressman. 

I think one of the key issues as we talk about industry and gov- 
ernment relationship is understanding the roles and responsibil- 
ities. It is probably not practical for companies to go address that 
problem. That requires government from that type of level, and 
that is my broader point is these major issues need to be led by 
government in terms of how we address in the sectors need to sup- 
port. There are things the sectors need to do, but there are things 
the government needs to do in that environment. 

Mr. Ehlers. If I may just interject. It seems to me your role, 
however, is to try to harden your facilities so that you can continue 
to operate. 

Mr. Kepler. Absolutely, and that is why we need diversification 
and structure. One point that has been brought up is the idea that 
the older technology can’t be replaced, and that is true, but also the 
older technology is less vulnerable to the newer threats. So it is a 
real delicate balance in terms of putting this new technology in, be- 
cause it is actually more vulnerable because of its complexity and 
size. So that is why I think we have got to be really careful of just 
putting technical solutions in and not having the broad policy un- 
derstandings and risk balancing here. 

Mr. Ehlers. That is precisely the point, and the policy has to 
come from the Federal Government, but also the industry has to 
be aware of the need to harden their facilities as much as they can 
so at least emergency services can continue. 

Mr. Kepler. We agree with that. 

Mr. Ehlers. Mr. Purdy, do you have a comment? 
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Mr. Purdy. I will have to defer to National Communication Sys- 
tems on your follow-up question. 

Mr. Ehlers. Any other comments? 

I think everyone is eager to go vote, and I am as popular as a 
skunk at the tea party at this point, so I will defer to the Chairman 
and yield back. 

Mr. Akin. No, you are very popular. Dr. Ehlers. 

And — but your time has expired. 

And now all of our time is expired, because we have got to go 
vote. 

We will leave the record open for five days for Members to sub- 
mit additional written questions for the witnesses. 

And I want to thank the witnesses for your time and your testi- 
mony. You are experts in your fields, and you have added to our 
understanding, and we thank you. 

And the Committee stands adjourned. 

[Whereupon, at 12:00 p.m., the Committee was adjourned.] 
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Answers to Post-Hearing Questions 

Responses by Donald “Andy” Purdy, Jr., Acting Director, National Cyber Security Di- 
vision, Department of Homeland Security 

Questions submitted by Chairman Sherwood L. Boehlert 

Ql. Measuring Cyber Security 

Qla. How do you measure national cyber security 1 

Ala. National cyber security is a rapidly changing area in which a dynamic market 
drives the continuous emergence of new technologies and an evolving threat envi- 
ronment. As a result, measuring national cyber security is an important but chal- 
lenging goal. 

Organizations, including all levels of industry, government, and academia, do not 
necessarily have total network cognizance, which prevents them from being able to 
measure their own level of security. To create an assessment of national cyber secu- 
rity, an entity would require accurate reporting from all organizations that rely on 
cyber systems on their own individual networks. Until all organizations achieve 
this, it will be very difficult to measure national cyber security. 

NCSD is working toward achieving greater situational awareness through efforts 
with: federal agencies, such as federal agency network monitoring; the private sector 
through interaction with Information Sharing and Analysis Center (ISACs); and, 
international partners through the international Computer Emergency Response 
Team collaboration. Enhanced situational awareness will help to provide a better es- 
timation of the state of cyber security and identify methods of measuring changes 
and improvement. 

In addition, NCSD’s responsibilities under the National Infrastructure Protection 
Plan (NIPP) for the IT Sector and cyber guidance across the critical infrastructures, 
will involve working with key governmental entities and the private sector to com- 
plete a sector specific plan that when implemented will help to create a national 
assessment of cyber risk, together with the prioritization of cyber risk mitigation 
measures. Several critical infrastructure cyber measures and metrics will be tracked 
across each sector based on the Sample Cyber Measures and Metrics being devel- 
oped for the NIPP. 

The Counter-intelligence community also supports these efforts from the perspec- 
tive of cyber espionage threat assessments. Eoreign intelligence services are increas- 
ingly using cyber espionage as a means for collecting sensitive information. We are 
developing methodologies for identifying their cyber capabilities and for assessing, 
in more precise form, the damage to national security that might be caused by var- 
ious cyber intrusion incidents. 

Qlb. How do you determine if the Nation’s level of cyber vulnerability is being re- 
duced? 

Alb. In order to determine whether the Nation’s level of cyber vulnerability is being 
reduced, NCSD undertakes a risk management approach that includes measuring 
threat, vulnerability, and consequences. 

There are a number of DHS initiatives underway that examine cyber-related 
vulnerabilities in addition to physical risk and vulnerability assessments. In coordi- 
nation with the private sector, DHS is identifying cyber vulnerability assessment 
best practices. This effort began with an evaluation of various methodologies in use 
throughout the public and private sectors. In addition, NCSD is working closely 
with other DHS components to ensure that cyber aspects of threat, consequence, 
and vulnerability analysis are consistently and appropriately included in risk meth- 
odology efforts. These efforts include the Risk Analysis and Management for Critical 
Asset Protection (RAMCAP), the Vulnerability Identification Self Assessment Tool, 
Comprehensive Reviews, and Site Assistance Visits. 

NCSD is sponsoring several exercise initiatives that will enhance U.S. prepared- 
ness in the event of a cyber incident and improve communication, coordination, and 
procedures between DHS, other government agencies, the public and private sectors, 
and with select foreign partners. In February 2006, NCSD will conduct the National 
Cyber Exercise: Cyber Storm, which will test federal response to a cyber-related in- 
cident of national significance; examine state, federal and international intra-gov- 
ernmental coordination; and emphasize public/private cooperation and communica- 
tions using the energy, information technology, telecommunications and transpor- 
tation sectors. In addition to Cyber Storm, NCSD has also coordinated extensively 
with and supported the creation of two regional partnerships in the Gulf Coast and 
the Pacific Northwest consisting of public and private sector entities. In each of 
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these regions, NCSD has facilitated a tabletop exercise designed to raise awareness 
of infrastructure interdependencies and to identify ways to improve regional pre- 
paredness. Collaboration with State/local government and private sector companies 
has been instrumental in the success of our regional efforts in the Gulf Coast and 
Pacific Northwest. Through direct interaction and collaboration during exercises in 
these regions, NCSD has developed significant partnerships with the public and pri- 
vate sectors to better prepare for and become more capable of preventing, respond- 
ing to, and recovering from a major cyber incident. 

Cyber exercises provide the environment to develop, coordinate, rehearse, and re- 
fine key processes; integrate infrastructure protection activities within other na- 
tional-level plans; establish mechanisms for coordination and information exchange; 
and identify interdependencies, overlaps, and gaps so that all the critical infrastruc- 
ture stakeholders at every level are better prepared for and more capable of pre- 
venting, responding to, and recovering from a major cyber incident, thereby reduc- 
ing exposure to cyber vulnerabilities. 

Qlc. How do you decide what is “secure enough’”^ 

Ale. Determining a sufficient level of security is variable depending on the specific 
needs of an organization and the specific assets involved, their risk tolerance, and 
the availability of resources. By following established set standards such as Inter- 
national Organization for Standardization (ISO) 17799, an international security 
standard that includes a comprehensive set of controls comprising best practices in 
information security, as well as conducting risk assessments, entities may deter- 
mine their ideal security level. This determination must be based upon the results 
of a risk assessment in which government and the private sector respectively, can 
reasonably decide what level of risk is acceptable or what areas need improvement 
and additional effort. Entities will make the determination regarding whether or not 
improvements and additional effort are necessary, based on availability of resources 
concerning their risk assessments and acceptable levels of risk. 

Qld. Are government mandates needed to increase the Nation’s progress on securing 
information systems and to get to “secure enough”? 

Aid. Government mandates would likely not increase the Nation’s progress on se- 
curing systems to reach a state of “secure enough.” This is largely due to the fact 
that a state of “secure enough” will differ for each entity utilizing information sys- 
tems and the fact that it would be very difficult to formulate a mandate that en- 
hances security in a way that can evolve with the dynamic security and technology 
environment. Each operating environment is different and each entity, public or pri- 
vate, must determine what is needed to continue their individual critical operations 
based on their distinct environment. These case-specific needs will evolve over time. 

A comprehensive awareness program to include the promotion of a risk manage- 
ment approach, as well as accepted best practices and standards, is a more effective 
tool for enhancing cyber security and achieving a greater state of security. Under 
the NIPP framework, metrics are being developed to improve the measurement of 
cyber security across critical infrastructure sectors. 

Q2. Information Sharing 

Q2a. What information would Department of Homeland Security (DHS) find most 
helpful to receive from critical infrastructure and information technology com- 
panies? What do you, or would you, do with this information, and how would 
you protect sensitive information? 

A2a. Industry information can allow NCSD (in partnership with other government 
entities and the private sector) to identify critical assets and interdependencies, 
vulnerabilities, and problematic cyber incidents and activity, assess cyber risk and 
prioritize measures to reduce vulnerabilities and cyber risk, generally, and minimize 
the severity of cyber attacks by timely warnings and by increased awareness and 
outreach efforts to improve the cyber security of critical infrastructures. DHS has 
established mechanisms, such as the Protected Critical Infrastructure Information 
program (PCII), to encourage industry to submit proprietary/sensitive information 
that will be protected and exempt from public disclosure as determined by the PCII 
program. In addition, entities may securely submit information through the United 
States Computer Emergency Readiness Team (US-CERT) secure website. 

Industry and government can provide many forms of information that are bene- 
ficial to NCSD. First, identification of cyber points of contact within organizations 
allows the US-CERT to disseminate information on cyber threats and 
vulnerabilities to the appropriate parties. Second, industry reporting of any cyber 
incidents (e.g., worms, viruses, attacks, etc.) to the US-CERT provides NCSD the 
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ability to enhance cyber situational awareness across all sectors as well as to pro- 
vide alerts and warnings back to the public. In addition, of particular importance 
from the private sector is information about major impacts that affect critical infra- 
structure operations. 

Third, the sharing of vulnerability assessment information with NCSD, including 
methodologies used, consequences of loss, and interdependencies, can assist NCSD 
in the identification of multi-sector cyber vulnerabilities and in collecting best prac- 
tices that can be shared across sectors. Information on the cyber vulnerabilities the 
private sector is most concerned about, tactics that might be used to exploit these 
vulnerabilities, or the likelihood from their perspective that these vulnerabilities 
could be exploited, will assist NCSD in determining the state of cyber security for 
the IT Sector and the Nation. Fourth, it is important for NCSD to receive informa- 
tion on current protective measures, business continuity plans, and current levels 
of resources applied to cyber security. Insight into this information can enable 
NCSD to work even more effectively with industry to address vulnerabilities and 
further enhance protective measures. Fifth, NCSD is working with critical infra- 
structure owners and operators, vendors, and other security partners to promote 
control systems security. Information on control system architectures, protective 
measures, metrics, and research and development will further enhance NCSD’s situ- 
ational awareness and understanding of the state of control systems security and 
the ability to provide protective measures that are relevant and meaningful to the 
industry. 

Q2b. Are you currently receiving the information you need? What are the principal 
barriers to information sharing? Are changes in legislation or regulations need- 
ed to overcome these barriers? 

A2b. While NCSD does receive information from various stakeholders, we believe 
that we can improve upon our current level of analysis with more information. We 
continue to encourage companies, government agencies, and others to share infor- 
mation as described above. 

Perhaps the greatest barrier to private sector information sharing with the gov- 
ernment is concern about the possible release of shared information to the public, 
either unintentionally or by legal statute, such as the Freedom of Information Act 
(FOIA). There is a concern that the release of shared information by either means 
could potentially lead to the exploitation of any disclosed vulnerabilities by mali- 
cious actors, cause damage to corporate reputation, and/or result in legal con- 
sequences. 

DHS, through the PCII program office, is pursuing ways to make the resulting 
program as effective as possible in furthering information sharing between the pub- 
lic and private sectors by providing industry protections and assurances through 
statutory exemption categories, as afforded by Congress. 

Q3. Response to Cyber Attacks 

Q3a. If the information systems of a critical infrastructure company were attacked 
today, is the U.S. prepared to detect the attack and repel it or repair the sys- 
tems quickly? 

A3a. Approximately eighty-five percent of the information infrastructure is owned 
and operated by the private sector; consequently, the majority of response activities 
reside with the private sector. In the case of attack on private sector infrastructure, 
NCSD’s role includes providing support to the private sector in the form of warn- 
ings, incident response coordination, technical support, and coordination with law- 
enforcement as warranted. In addition, NCSD’s US-CERT provides a national co- 
ordination center that links public and private response capabilities to facilitate in- 
formation sharing across all infrastructure sectors and to help protect and maintain 
the continuity of our nation’s cyber infrastructure. US-CER'T serves as a 24x7x365 
cyber watch, warning, and incident response center, and provides coordinated re- 
sponse to cyber incidents, a web portal for secure communications with private and 
public sector stakeholders, a daily report, a public website (http:! Iwww.us-cert.govI), 
and a National Cyber Alert System, which provides timely, actionable information 
to the public on both technical and non-technical bases. US-CERT also conducts 
malicious code analysis, provides malware technical support, and conducts cyber 
threat and vulnerability analysis. US-CERT works to advance relationships with in- 
frastructure owners and operators to confirm attacks and enhance coordinated re- 
sponse activities. 

In addition, if the attack rises to the level of a cyber incident of national signifi- 
cance, the National Cyber Response Coordination Group (NCRCG) will help to co- 
ordinate the federal response, including law enforcement and the intelligence com- 
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munity, with that of the private sector. NCSD co-chairs the NCRCG with the De- 
partment of Justice and the Department of Defense. An additional thirteen federal 
agencies with a statutory responsibility for and/or specific capability toward cyber 
security, including the intelligence community, are members. NCSD serves as the 
Executive Agent and point of contact for the NCRCG. As directed by Homeland Se- 
curity Presidential Directives 5 and 8, NCSD helped to create a Cyber Annex to the 
National Response Plan (NRP)i that provides a framework for responding to cyber 
incidents of national significance. The Cyber Annex establishes the NCRCG as the 
principal Federal Government cyber response body. 

The government is prepared to respond to major cyber incidents in coordination 
with the private sector and is working to formalize incident response coordination 
by ensuring that standard operating procedures work in unison. NCSD is also work- 
ing to facilitate, enhance, and ensure public-private coordination during major cyber 
incidents. 

Q3b. What about if it were an attack on the Internet? 

A3b. As stated above, because approximately 85 percent of the information infra- 
structure is owned and operated by private industry, the majority of mitigation and 
restoration activity is borne by private industry. In this regard, NCSD’s US-CERT 
is enhancing relationships with Internet owners, operators, and other associated in- 
dustries to aide in incident coordination and communications with all players to fa- 
cilitate rapid response to a significant cyber event or incident. Specifically, the US- 
CERT maintains regular communications with the Information Technology Informa- 
tion Sharing and Analysis Center (ISAC) and the Telecommunications ISAC. Addi- 
tionally, US-CERT has established relationships with the Financial and Multi-State 
ISACs and is well coordinated with the ISAC Council that includes ISACs from 
other critical infrastructures. US-CERT is prepared to reach out and alert those 
within the ISAC communities and affected infrastructure sectors when necessary. 

A large-scale attack on the infrastructure of the Internet may constitute a cyber 
incident of national significance that would activate the NCRCG. The NCRCG is 
also building a more robust partnership with the IT sector, with Internet Service 
Providers, and through NCSD’s responsibilities for the cyber component of the Na- 
tional Infrastructure Protection Plan (NIPP) to enable a collaborative, coordinated 
approach to attack mitigation and recovery. 

The NCSD also co-chairs the Internet Disruption Working Group (IDWG) with the 
National Communications Systems (NCS). The IDWG was established by the NCSD 
and NCS to form a strategic partnership with other key government agencies. Its 
focus is to identify and detail actions that can be taken in the near-term to enhance 
Internet resilience. An initial goal of the IDWG was to reach out to private sector 
stakeholders. A one-day IDWG Forum was conducted on November 29, 2005 as an 
initial undertaking to bring subject matter experts together around a common con- 
cern: Internet disruption and hardening with a focus on gathering feedback on the 
most likely risk scenarios facing the Internet infrastructure today. Emphasis was 
placed on discussing immediate near-term needs and requirements for industry-gov- 
ernment coordination in preparation for or during an Internet disruption of national 
significance. The IDWG will analyze outcome data from the forum to develop near- 
term action plans for risk preparedness, vulnerability mitigation, and response and 
reconstitution. Information will be provided to the NCS, NCRCG and the US-CERT 
for consideration as input to the update of the NRP/ESF-2 which is the overarching 
National plan for communications recovery/reconstitution activities. Near-term ac- 
tion plans are scheduled to be completed by the end of the 2nd quarter, FY06. 

Q3c. What role can and should DHS and other public and private organizations 
play in these response activities? 

A3c. Although the private sector owns and operates such a large part of the infor- 
mation infrastructure, and that infrastructure represents a critical national asset, 
response activities reside with both the private sector and the government. DHS’s 
role is to ensure the coordination and effectiveness of government preparedness and 
response efforts in partnership with the private sector. 

US-CERT is the operational arm for DHS’s coordinated cyber preparedness and 
response and collaborates with affected parties to assist with rapid response. US- 
CERT also builds situational awareness, provides malicious code and vulnerability 
analysis, disseminates timely alerts and warnings, participates in exercises, devel- 
ops and refines standard operating procedures, and provides training. 


http:! / www.dhs.gov / dhspublicldisplay?theme=15&content=4269 



84 


As discussed above, the Cyber Annex to the National Response Plan (NRP), which 
provides a framework for responding to cyber incidents of national significance, es- 
tablishes the NCRCG as the principal Federal Government response body. The 
NCRCG will engage the applicable private sector entities to ensure both the feasi- 
bility and comprehensiveness of the mitigation and recovery strategy. 

Q3d. What are the barriers to DHS, companies, or other organizations providing a 
quick, effective, and coordinated response? 

A3d. NCSD views the current challenges to include clearly defined roles and re- 
sponsibilities for response activities. Delineating roles and responsibilities between 
the public and private sectors with regard to response is well underway. The US- 
CERT Concept of Operations (CONORS) provides federal agency reporting and co- 
ordination, while the NCRCG CONORS provides response to a cyber incident of na- 
tional significance. US-CERT and NCRCG continue to refine draft Standard Oper- 
ating Procedures (SOPS) to ensure systemization and coordination of response ac- 
tions. Also, as stated above, NCSD is working to facilitate, enhance, and ensure 
public-private coordination during major cyber incidents. 

NCSD’s Cyber Storm exercise seeks to test whether in the event of an incident, 
the public and private sectors are prepared to act in a coordinated fashion. By ex- 
amining homeland security cyber response and recovery mechanisms, NCSD can 
evaluate the existing resources and procedures to recommend improvements to in- 
formation sharing, processes, and policies for a more coordinated and robust na- 
tional cyber incident preparedness and response. Specifically, Cyber Storm will pro- 
vide the opportunity for the lead agencies in the Federal Government to examine 
their SOPS and CONORS in a controlled environment and make revisions based on 
the outcome of the exercise. 

Q4. Cyber Security R&D 

Q4a. What are the biggest technology gaps, or areas where research and development 
(R&D) are most needed, that you see in trying to protect information systems 
across critical infrastructure sectors? 

A4a. For cyber security research and development (R&D) within the Department of 
Homeland Security, the Science and Technology (S&T) Directorate coordinates with 
the National Cyber Security Division (NCSD). NCSD collects, develops, and submits 
cyber security R&D requirements to provide input for the S&T Directorate’s cyber 
security research priorities and to the federal cyber security R&D community. The 
most significant technology gaps where R&D is needed to protect information sys- 
tems across critical infrastructure sectors fall into three categories: (1) technologies 
that are applicable to standard network-based information systems, [the Depart- 
ment of Homeland Security’s (DHS) Science and Technology (S&T) Directorate is ad- 
dressing some of these through existing and planned programs within the Cyber Se- 
curity portfolio]; (2) technologies that are applicable to distributed control systems 
[the S&T Directorate is addressing these issues through existing programs within 
the Critical Infrastructure portfolio — see Q02935]; and (3) technologies that are rel- 
evant when enterprise information systems are directly connected to distributed 
control systems. 

Technologies needing further R&D related to distributed control systems are: 

— Efficient, intelligent, cross-domain intrusion detection systems 
— Effective authentication and authorization technologies 

— Methods for testing and verification of solutions to retrofit existing systems 
— Automated security assessments 
— Efficient, low-cost encryption technologies 

— Improved technologies for non-intrusive testing methods for secondary (su- 
pervisory) instrumentation systems. 

Improved technologies needing further R&D related to enterprise systems con- 
nected to distributed control systems, but are not currently commercially available 
are: 

— System-wide intrusion detection and prevention systems 
— Intelligent firewalls 
— Multi-level security systems 
— High-level auditing and reporting systems 

The Federal Plan for Cyber Security and Information Assurance Research and De- 
velopment (CSIA R&D Plan) marks the Federal Government’s first step toward de- 
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veloping an agenda for the R&D listed above. The Plan responds to significant driv- 
ers for improved federal cyber security and information assurance R&D arising from 
current federal priorities, as outlined in the 2005 report of the President’s Informa- 
tion Technology Advisory Committee (PITAC) and, additionally, the following docu- 
ments: the OSTP/OMB Memorandum on Interagency R&D Priorities for FY 2007; 
Cyber Security: A Crisis of Prioritization, the 2003 National Strategy to Secure 
Cyberspace; and the 2002 Cyber Security Research and Development Act (Public Law 
107-305). The purpose of the Plan is to provide baseline information and an initial 
technical framework for a coordinated multi-agency R&D effort in cyber security 
and information assurance. The Plan was developed by the Cyber Security and In- 
formation Assurance Interagency Working Group (CSIA IWG) of the National 
Science and Technology Council (NSTC). The CSIA R&D Plan has been coordinated, 
and is consistent with the National Critical Infrastructure Protection Research and 
Development Plan, developed by OSTP and the S&T Directorate. 

The CSIA IWG was established by the Subcommittee on Infrastructure and the 
Subcommittee on Networking and Information Technology Research and Develop- 
ment (NITRD). The purpose of the IWG is to coordinate policy, programs, and budg- 
ets for cyber security and information assurance (CSIA) R&D. This includes identi- 
fying and integrating requirements, conducting joint program planning, and devel- 
oping joint strategies for the CSIA R&D programs conducted by agency members 
of the Subcommittees. For the purposes of this document, CSIA includes funda- 
mental and applied R&D, technology development and engineering, demonstrations, 
testing and evaluation, and education and training; and “agencies” refers to federal 
departments, agencies, directorates, institutes, and other organizational entities. 

The following federal agencies are represented on the IWG: 

• Department of Commerce: 

— National Institute of Standards and Technology 

• Department of Defense: 

— Office of the Deputy Under Secretary of Defense for Science & Tech- 
nology 

— Defense Information Systems Agency 

— Defense Advanced Research Projects Agency 

— Departments of the Air Force, Army, and Navy 

— National Security Agency 

— Technical Support Working Group (joint with Department of State) 

• Department of Energy 

• Department of Health and Human Services: 

— National Institutes of Health 

• Department of Homeland Security: 

— National Communications System 

— National Cyber Security Division 

— Science and Technology Directorate 

• Department of Justice 

• Department of State 

• Department of Transportation: 

— Federal Aviation Administration 

• Department of the Treasury 

• Central Intelligence Agency 

• Environmental Protection Agency 

• National Aeronautics and Space Administration 

• National Science Foundation 

Q4b. What federal R&D programs exist in these areas and what are their funding 
levels? 

A4b. We refer you to the Federal Plan for Cyber Security and Information Assur- 
ance Research and Development (CSIA R&D Plan) for a consolidated list of R&D 
programs in the areas listed above, broken out by federal agency. The Plan also in- 
cludes detailed funding information for each of the programs. 

The federal agency funding information gathered during the CSIA Plan process 
was pre-decisional and of varying granularity; it was collected only to provide a pre- 
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liminary indication of federal agency spending emphases in cyber security and infor- 
mation assurance. Thus, the baseline findings derived from this information should 
be viewed as useful in the aggregate, but not a comprehensive source of detailed 
investment data. 

DHS’s S&T Directorate and the Office of Science and Technology Policy (OSTP) 
prepare an annual Critical Infrastructure Protection (CIP) R&D Plan, as mandated 
by Homeland Security Presidential Directive (HSPD)-7. The first of these plans is 
available to the public. It specifically addresses and combines ongoing R&D activi- 
ties and future goals for both cyber and physical domains. This plan has been thor- 
oughly coordinated across multiple federal agencies and includes input from the pri- 
vate sector, academia, and the national laboratories through a series of facilitated 
technical workshops. The plan was developed under the auspices of the Infrastruc- 
ture Subcommittee of the National Science and Technology Council (NSTC), over- 
seen by OSTP. The subcommittee further acts as an integrating mechanism for 
input and planning efforts conducted by two interagency working groups, one fo- 
cused on physical security and one focused on cyber security, that report to the Sub- 
committee. 

Within the DHS S&T Directorate, the CIP and Cyber Security portfolios have sev- 
eral programs linking cyber security research to critical infrastructure protection: 

• Process Control System Forum (PCSF) — This forum was established this year 
to accelerate the development of technology that will enhance the security, 
safety, and reliability of process control system (PCS) and supervisory control 
and data acquisition (SCADA) systems. The Forum provides a united venue 
for industry and government (including DHS’s S&T Directorate, DHS’s Na- 
tional Cyber Security Division, and other partners) to work together in evalu- 
ating, specifying, developing, refining, and testing new technologies. The S&T 
Directorate has expended $1.5M in FY 2004, and obligated another $1.5M in 
FY 2005. In FY 2006, it is anticipated that an additional $750K will be used 
to fund PCSF. 

• Control System Security Test Center (CSSTC) — In collaboration with the De- 
partment of Energy (DOE) and its resources and testing facilities, this pro- 
gram focuses on developing procedures for enumerating the vulnerability of 
process control systems to cyber attack and finding solutions to correct these 
weaknesses. This is intended to be a close private/public partnership effort 
with the critical infrastructure industries that use and manufacture process 
control systems. The CSSTC is run out of the National Cyber Security Divi- 
sion; funding does not come from the Science and Technology Directorate. 

• Linking the Oil & Gas Industry to Improve Cyber-Security (LOGIC) — This 
public-private partnership is aimed at reducing vulnerabilities in process con- 
trol environments used in the oil and gas sector by establishing a framework 
for assessing risks, evaluating new technologies, and providing an environ- 
ment for collaborative cyber-security projects. Currently in planning stages, 
this effort brings together government and private sector stakeholders to 
identify a working model for leveraging the collective resources of the oil and 
gas sector, government agencies, and national laboratories to improve process 
control system security. In FY 2006, the S&T Directorate intends to fund 
LOGIC and $500K. 

• Small Business Innovative Research (SBIR) Awards — In FY 2004, 13 Phase 
I SBIR projects were awarded in the area of process control system security. 
In FY 2005, Phase II SBIRs were awarded to a subset of the Phase I per- 
formers, on the following topics: 

— Advanced Security for SCADA Systems; 

— Protection of SCADA Systems Using Physics Based Authentication and 
Location Awareness; 

— Improved Security Information Management for SCADA Systems; 

— A Robust Secure Management System for SCADA/EMS Operations; and 

— A Toolkit for Next Generation Electric Power SCADA Security Protec- 
tion and Research. 

In SBIRs for SCADA/Process Control Security, the S&T Directorate has com- 
mitted/obligated approximately $3.75M for the Phase II efforts. 
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Questions submitted by Representative Bart Gordon 

Ql. Earlier this year, GAO reported to Congress (GAO-05-827T) that the Depart- 
ment of Homeland Security “has not yet developed national cyber threat and 
vulnerability assessments or government ! industry contingency recovery plans for 
cyber security, including a plan for recovering key Internet functions.” 

Qla. What is the current status of progress toward developing national cy ber threat 
and vulnerability assessments, and by what date or dates do you estimate such 
assessments will be completed? 

Ala. As part of NCSD’s participation in the development of the National Infrastruc- 
ture Protection Plan (NIPP), the NIPP Base Plan discusses cyber security and the 
cross-sector cyber element of critical infrastructure and key resources protection 
across all 17 critical infrastructure sectors. It also highlights cyber security concerns 
in an appendix that provides additional details on processes, procedures, and mech- 
anisms needed to achieve NIPP goals and the supporting objectives for cyber secu- 
rity. The cyber security appendix specifies cyber responsibilities for security part- 
ners, processes and initiatives to reduce cyber risk, and milestones and metrics to 
measure progress on enhancing the Nation’s protection of cyber infrastructure. 

The draft NIPP Base Plan was released for final review and comment on Novem- 
ber 2, 2005 and addresses the federal. State, territorial, tribal, local, and private 
sector roles and responsibilities for critical infrastructure protection. It will be com- 
pleted in early 2006. The 17 critical infrastructure and key resource (CI/KR) Sector- 
Specific Plans (SSPs) will further detail risk reduction strategies related to their re- 
spective critical cyber infrastructure. The SSPs will be completed in 180 days after 
the publication of the NIPP Base Plan. 

In addition to physical risk and vulnerability assessments, there are a number of 
DHS initiatives underway that examine cyber-related vulnerabilities. DHS, in co- 
ordination with the private sector, is identifying cyber vulnerability assessment best 
practices. This effort began with an evaluation of various methodologies from across 
public and private sectors. NCSD is also working closely with other DHS compo- 
nents to ensure that cyber aspects of threat, consequence, and vulnerability analysis 
are consistently and appropriately included in risk methodology efforts. These ef- 
forts include the Risk Analysis and Management for Critical Asset Protection 
(RAMCAP), the Vulnerability Identification Self Assessment Tool, Comprehensive 
Reviews, and Site Assistance Visits. To achieve this objective, NCSD will: 

1) Support the development of cyber components of RAMCAP. 

2) Complete its evaluation of public and private sector vulnerability assessment 
methodologies and document best practices in Q1FY06 for integration into 
other efforts; 

3) Integrate cyber issues and best practices into DHS risk management and 
vulnerability assessment methods and tools through ongoing and continued 
collaboration and coordination with DHS entities as methods and tools are 
implemented; and 

4) enhance understanding of the impact of cyber attacks by analyzing the con- 
sequences (i.e., economic, human, physical) of cyber attacks on critical infra- 
structure sectors by Q3FY06. 

In addition, NCSD’s US-CERT Control Systems Security Program and the US- 
CERT Control Systems Security Center (CSSC) work to reduce control system 
vulnerabilities in our critical infrastructure. The Control Systems Security Program 
coordinates efforts among Federal, State, and local governments, as well as control 
system owners, operators, and vendors to improve control system security within 
and across all critical infrastructure sectors by reducing cyber security 
vulnerabilities and risk. The US-CERT CSSC coordinates control system incident 
management, provides timely situational awareness information, and manages con- 
trol system vulnerability and threat reduction activities. The US-CERT CSSC 
brings together government, industry, and academia to reduce vulnerabilities, re- 
spond to threats, and foster public/private collaboration. NCSD and the Control Sys- 
tems Security Program are also working with other DHS components to ensure that 
control systems security is integrated into risk and vulnerability assessment meth- 
odologies and tools designed for use across multiple sectors. 

Further, to reduce control system vulnerabilities in our critical infrastructure, 
CSSC developed a draft cyber security protection framework for identifying control 
systems security protection measures and comparing them against existing security 
standards. The framework provides a systematic methodology for assessing the 
cyber security posture of control systems. It is designed to reduce the burden on 
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owners and operators by providing them with a means to select protective measures 
that apply to their specific architecture and operating environment and reduce their 
respective risk. 

As part of this framework, the CSSC also has capabilities at Idaho National Lab- 
oratory to perform vulnerability assessments of control systems. The CSSC is work- 
ing with commercial vendors and Department of Energy (DOE) to complete assess- 
ments of three different control systems to identify cyber vulnerabilities, reverse en- 
gineer exploits, and provide solutions to secure vendor systems. A code-based anal- 
ysis has also been conducted in cooperation with a vendor/manufacturer to identify 
possible vulnerabilities and recommendations to secure the system. 

The cyber security protection framework also leverages best practices from indus- 
try for securing control systems against cyber attacks and organizes them so the 
control systems community can identify specific solutions to their security 
vulnerabilities. As part of the framework, implementation tools, such as a “self-as- 
sessment tool,” have also been developed to allow owners and operators of industrial 
control systems to perform on-site self-assessments against a database of cat- 
egorized security requirements. 

In addition, NCSD’s Law Enforcement/Intelligence Branch has multiple efforts 
underway in this area. For example, the Law Enforcement/Intelligence Branch, in 
collaboration with the Homeland Infrastructure Threat and Risk Assessment Cen- 
ter, (HITRAC), has created a draft Domestic Cyber Risk Estimate to evaluate the 
threats emanating from inside the U.S., to complement international threat assess- 
ments completed by the intelligence community. HITRAC is comprised of subject 
matter experts from the Office of Infrastructure Protection and the Office of Intel- 
ligence and Analysis. 

Qlb. What is the current status of progress toward developing government ! industry 
contingency recovery plans for cyber security, including a plan for recovering 
key Internet functions, and by what date or dates do you estimate such recovery 
plans will be completed"? 

Alb. DHS is confronting this security challenge through the work of the Internet 
Disruption Working Group (IDWG), a partnership between the NCSD and the Na- 
tional Communications System (NCS). To initiate the substantive work of IDWG, 
the NCSD conducted a one-day IDWG Eorum with major public sector partners and 
subject matter experts in late November 2005. Participants at the Eorum will work 
to continue to collaboratively work in identifying actions that can be taken in the 
near-term to better protect against, respond to, and reconstitute following an Inter- 
net disruption. Topics discussed included: risk scenarios; path forward/near-term 
protective measures; key Internet infrastructure components; path forward/near- 
term response; scope of disruption analysis (or “thresholds”); and path forward/near- 
term response. 

The IDWG will analyze outcome data to develop near-term action plans for risk 
preparedness, situational awareness, vulnerability mitigation, and response and re- 
constitution. Information will be provided to the NCS, NCRCG, and the US-CERT 
for consideration as input to the update of the National Response Plan (NRP)/Emer- 
gency Support Function (ESF) #2, which is the overarching National plan for com- 
munications recovery/reconstitution activities. Near-term action plans are scheduled 
to be completed by the end of the 2nd quarter, FY06. Action plans will be composed 
detailing near-term steps for industry and government to increase Internet resil- 
iency. 

In addition, the Emergency Support Function #2, Communications, is one of fif- 
teen emergency support functions (ESF) maintained by the Federal Emergency 
Management Agency (FEMA) as part of the Federal Response Plan (FRP). The Na- 
tional Communications System (NCS) is responsible for ESF #2, which ensures the 
federal telecommunications support to federal. State and local response efforts fol- 
lowing a Presidentially declared major disaster, emergency or extraordinary situa- 
tion under the FRP. Because the Internet backbone is telecom-based, NCS’s exper- 
tise will help to promote the survivability of the Internet and recovery after disrup- 
tion. NCSD and NCS have agreed to explore the need for possible recommendations 
to revise ESF-2 to ensure that cyber is appropriately accounted for (with SOPs as 
appropriate). 

Q2. The Critical Infrastructure Information (CII) program, which is authorized by 
the statute creating the Department of Homeland Security (DHS), is intended to 
protect cyber security related information provided voluntarily to DHS by the 
private sector. In response to a question at the hearing, you indicated that DHS 
has interim rules in place for instituting the CII program. 



89 


Q2a. What is the current status of the CII program and by what date do you esti- 
mate that the final rule for its implementation will be in place? 

A2a. The Department has synthesized the comments received and has reviewed the 
operating experience with the program to date. The item has a very high priority; 
however, DHS is committed to making sure that the rule and the Program work 
effectively for the Department and critical infrastructure owners/operators, and 
thus, the draft document has been undergoing further refinement. In the meantime, 
based on its operating experience, the PCII Program Office has already been imple- 
menting changes in its operating procedures to respond to some of the issues raised 
in the comments to make PCII more flexible/useful for submitters. The editing proc- 
ess is nearing completion. Before going to the Federal Register, the Rule must be 
submitted to 0MB for interagency coordination. The Department is committed to 
working to resolve any issues that may arise there as quickly as possible. The rule 
will be published as a Final Rule and DHS will continue to work with submitters 
and government users to address implementation issues as they arise. 

In addition to these efforts toward a Final Rule, approximately a year ago, DHS’ 
PCII Office implemented a way for companies to sign up to submit protected critical 
infrastructure information to NCSD on a recurring basis through the secure US- 
CERT Portal. Since then, NCSD has been working toward a mechanism to enable 
companies to submit protected information on an episodic basis, rather than having 
to pre-enroll. This mechanism is scheduled to be implemented in early 2006. Addi- 
tionally, the Department has been working to establish a pilot with the NCSDAJS- 
CERT submissions to allow the submitter to request limited dissemination of their 
information. This effort is expected to be active in early 2006 as well. 

Q2b. What are the principal concerns of the private sector thus far regarding imple- 
mentation of the CII program, and how is DHS responding to these concerns? 

A2b. One of the main concerns frequently expressed by the private sector with re- 
spect to the PCII Program is dissemination of information shared by the private sec- 
tor. Several organizations have stated that they would contemplate sharing cyber 
related information with NCSD if dissemination of their information were limited 
to only NCSD. As a result, NCSD has begun working with the PCII Program Office 
in ‘piloting’ the capability for an entity to submit CII information directly to NCSD 
and request that information be limited in its dissemination to only NCSD. We ex- 
pect this pilot effort, consistent with the interim final rule, to be operational shortly. 

Q3. In his testimony, Mr. Freese indicated that the Process Control Security Forum 
is doing good work in developing design guidelines for the next generation of 
more secure control systems, and he suggested the need for support from DHS 
for seed money to support the implementation of ideas and concepts developed 
by the Forum. 

What is your view of the value of the Process Control Security Forum, and what 
is your response to Mr. Freese’s suggestion? 

A3. The Process Control Systems Forum (PCSF) is an industry lead group com- 
prised of many interest and working groups with the focus of securing legacy and 
next generation control systems. The PCSF is sponsored by the Department of 
Homeland Security’s Science & Technology (S&T) Directorate. The NCSD co-chairs 
the PCSF and supports the PCSF in their mission to accelerate the design, develop- 
ment, and deployment of more secure control and legacy systems currently embed- 
ded with our nation’s critical infrastructure. The NCSD Control Systems Security 
Program’s (CSSP) goal is to reduce the risk from a cyber attack to control systems 
associated with our nation’s critical infrastructure. The NCSD CSSP provides rec- 
ommendations for areas of research and development (R&D) to the S&T Directorate 
as gaps and vulnerabilities are identified in control system cyber security. 

NCSD’s CSSP is an active participant within the PCSF. The CSSP leads several 
interest groups within the PCSF in order to inform and receive comments on CSSP 
initiatives, such as the Control Systems Security Framework and Self-Assessment 
tool and control systems security focused standards. The value of the PSCF is its 
ability to reach out to representatives of the critical infrastructure sectors, such as 
chemical, water, energy, and telecommunications, which utilize Process Control Sys- 
tems (PCS) and Supervisory Control and Data Acquisition (SCADA). The NCSD ac- 
tively engages with the PSCF to reach vendors and asset owners as part of its out- 
reach efforts. More recently, for example, the NCSD CSSP published the Hurricane 
Katrina Control Systems Assistance Informational Paper, which provided guidance 
for rebuilding and securely restarting control systems. The paper is available on the 
PCSF website, as well as the NCSD US-CERT website. 
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Question submitted by Representative Eddie Bernice Johnson 

Ql. I understand that the Secretary of Homeland Security created the new position 
of Assistant Secretary of Cyber Security and Telecommunications. Why has this 
position not yet been filled, and when will it be filled? 

Al. As with other key leadership positions, the Assistant Secretary for Cyber Secu- 
rity and Telecommunications position requires a unique skill set of managerial and 
substantive expertise and we are in the process of reviewing the qualifications of 
several candidates. The Department will move forward with the process of identi- 
fying a suitable nominee as quickly as possible. 
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Answers to Post-Hearing Questions 

Responses by John S. Leggate, Chief Information Officer and Group Vice President, 
Digital & Communications Technology, BP Pic., United Kingdom 

Questions submitted by Chairman Sherwood L. Boehlert 

Ql. Measuring Cyber Security 

Qla. How do you measure your company’s cyber security? 

Ala. We assess our capability to manage security vs. the risk, assessed through a 
combination of assessment of threats against the company, the potential weaknesses 
in systems and processes and the impact that such exposures could have. 

Qlb. How do determine if your company’s level of cyber vulnerability is being re- 
duced? 

Alb. The assessment approach stated above measures risk reduction activities such 
as device patching and the relevance of such actions. 

Qlc. How do you decide what is “secure enough”? 

Ale. The impact assessment, measuring financial and non-financial impact (such as 
safety, environment, effect on society, regulatory compliance and reputation) deter- 
mines whether something matters to the company. The likelihood of the event, as- 
sessed by threat intelligence and effectiveness of controls determines how much ac- 
tion needs to be taken. 

Qld. Are there specific metrics you use in evaluating the cyber security of your com- 
pany? 

Aid. We use specific metrics relating to the effectiveness of particular controls or 
the trend of threats. We have a scale used for assessing impact for the most signifi- 
cant risks. (Broader concepts such as value at risk have as yet proved illusory in 
the case of operational risks). 

Qle. How should the Department of Homeland Security (DHS) determine if the Na- 
tion is making progress? 

Ale. Firstly, through risk assessment of security — what is at risk and how well is 
it protected, the capabilities deployed, measured in the form of skilled people, de- 
ployed security technologies and processes. Secondly through the number of security 
events being reported. 

Qlf. Are government mandates needed to increase the progress and get to “secure 
enough”? 

Alf. The government should always avoid mandating specifics, as true knowledge 
of the most appropriate control always exists within the sector (no matter which sec- 
tor). However, government should mandate processes and actions that ensure that 
cross-sector risks are identified and picked up and that sectors measure themselves 
against their own standards. 

Business Case for Cyber Security 

Qlg. Within your company, how do you make the business case for the costs associ- 
ated with more secure information technology products? What can the Federal 
Government do to help you make this case and make investment in cyber secu- 
rity more attractive? 

Alg. The security requirements for information technology products are generally 
little more than the basics of good integrity, i.e., no vulnerabilities. The addition of 
simple security measures like frrewalls and anti-virus and next generation protec- 
tion of data is just good business. No special action is required outside normal good 
business practice. The government need take no additional action. 

Q2. Information Sharing 

Q2a. What information would you find most helpful to receive from the government 
(especially DHS) or from other companies when you are making decisions re- 
lated to what cyber security you need. When responding to an attack or an inci- 
dent? 

A2a. Threat information about new risks and problems being encountered in near 
real-time. 
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Q2b. What information have you been asked for by DHS that you feel uncomfortable 
providing and why? 

A2b. Detail of security events and known vulnerabilities. We have no assurances as 
to the protection of our information, who has access to it and how it will be used. 
Additionally we are concerned that there will be demands put on the individuals 
dealing with the incident that are no in the best interest of our company. 

Q2c. What are the principal barriers to information sharing: Are changes in the leg- 
islation or regulations needed to overcome these barriers? 

A2c. Simple trust between one person and another. It takes time to build and needs 
processes to bed in before it works. Changes in process such as a move from ISACs 
to central DHS actions was a backward step in this fragile trust model. Government 
funding to help the information sharing infrastructure is invaluable in getting over 
the lead time between starting and seeing value (which is a barrier for company 
funding). 

Q3. Responding to Cyber attacks 

Q3a. If the information systems of a critical infrastructure company were attacked 
today, is the U.S. prepared to detect the attack and repel it or repair the sys- 
tems quickly? 

A3a. It depends on the industry, the nature of the attack and the company itself. 
Response would range from excellent to poor. As a whole the U.S. Government 
would probably not be of much help in helping critical infrastructure companies; 
however, the company themselves may be prepared to handle the majority of at- 
tacks. 

Q3b. What about if it were an attack on the Internet? 

A3b. There is no coordinated response to an Internet attack. Recovery would be by 
adhoc action and if unlucky could be catastrophic if the impact spread across sec- 
tors. Lots of very good technical people work on an adhoc basis but there is NO stra- 
tegic plan or coordinated effort. 

Q3c. What role can and should DHS and other public and private organizations 
play in these response activities? 

A3c. DHS itself can do little in the response, this has to be done by the companies 
that own the infrastructure itself. DHS can help best in analysis, preparedness and 
planning. 

Q3d. What are the barriers to DHS, companies or other organizations providing a 
quick, effective and coordinated response? 

A3d. Poor planning and lack of understanding of interdependencies and weak 
points but most of all TRUST. DHS has done little to foster trust with the critical 
infrastructure companies. 

Q4. International Cyber Security 

Q4a. In your experience working with multiple Federal Governments on cyber secu- 
rity, what notable differences exist between the approach of the U.S. and that 
of other countries? 

A4a. The U.S. approach is paradoxical, there seems to be good funding in total but 
this is not integrated into a focused program. The lack of continuity and lack of se- 
niority in the cyber security part of DHS has led to fragmentation of the program 
with many activities being started but few big wins to point at. Cyber Security has 
taken a back seat especially in R&D — DHS S&T is only spending about $15 million 
on cyber security. 

Q4b. Are other countries supporting activities that the U.S. should be doing too? 

A4b. Delivery of specifics such as practical solutions from funded research, novel 
cyber-intelligence, and user-led security solutions fora have all been seen to add 
great value in the programs of some other countries. 

Q5. What is the Department of Homeland Security doing to foster private sector ef- 
forts in cyber security and what could the agency do that it is not doing now? 

A5. The ISACs presented a great opportunity for private sector engagement, but 
DHS has programmatically eliminated independent ISACs. The initiatives should be 
given focus and direction to have specific rather than generic work programs. 
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Q6. Are effective practices procedures and technologies now available to guard 
against the adverse impacts of cyberspace vulnerabilities^ 

A6. As we digitize more and more we need to have a significant improvement in 
software en^neering to create systems of adequate integrity. This philosophy is still 
not present in the IT industry. 

Q7. Are there shortcomings for particular critical infrastructure areas? 

A7. As traditional process control technologies such as SCADA/DCS continue to in- 
tegrate with Commercial Off The Shelf IT systems we see vulnerabilities and 
threats being introduced into environments that cannot be changed to deal with 
them. A new class of co-existing security protection is required to address legacy 
systems until such time as new, built-secure technologies can take their place. 
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Answers to Post-Hearing Questions 

Responses by David E. Kepler, Corporate Vice President of Shared Services and Chief 
Information Officer, The Dow Chemical Company 

Questions submitted by Chairman Sherwood L. Boehlert 

Ql. Measuring Cyber security 

• How do you measure your company’s cyber security 1 

• How do determine if your company’s level of cyber vulnerability is being re- 
duced? 

• How do you decide what is “secure enough”? 

• Are there specific metrics you use in evaluating the cyber security of your com- 
pany? 

• How should the Department of Homeland Security (DHS) determine if the Na- 
tion is making progress? 

• Are government mandates needed to increase the progress and get to “secure 
enough”? 

Al. Dow Chemical has a disciplined process to manage risk and address cyber secu- 
rity in our company. The metrics established in this framework allow us to analyze 
our effectiveness against priorities, understand internal support for addressing 
these priorities, and identify strengths and areas for improvement in our efforts. 
This framework also provides a valuable mechanism to compare our own priorities 
and self-assessments against those of peer companies. Our processes are based on 
industry standards and best practices. 

Today’s world requires us to maintain constant vigilance and effort to ensure our 
security. There is no foreseeable point where we as a company can declare we are 
“secure enough.” We must continue to assess our risk and vulnerabilities applying 
the necessary investments, resources and management systems to effectively man- 
age risk and mitigate vulnerabilities on an on-going basis. 

The Department of Homeland Security (DHS) cannot be everything to everyone. 
Instead, it is in our national interest for DHS to place a priority and focus on cyber 
threats of significant consequence that could interrupt our nation’s critical informa- 
tion and communications infrastructure or cause significant disruption to our econ- 
omy. DHS should be measured by how well they plan, defend, and respond to such 
threats of national consequence. 

Q2. Business Case for Cyber Security 

Within your company, how do you make the business case for the costs associ- 
ated with more secure information technology products? What can the Federal 
Government do to help you make this case and make investment in cyber secu- 
rity more attractive? 

A2. Information systems are critical to Dow Chemical’s business operations and are 
integral to the competitive advantage of our company. Ensuring the reliability and 
security of our systems, processes, and information is of the utmost importance. The 
business case for cyber security is very simple for us. If our critical information sys- 
tems or manufacturing control systems are compromised, our ability to conduct 
business is compromised. Investments are based on impact to our current operations 
and stakeholders, not for benefit return. 

Q3. Information Sharing 

• What information would you find most helpful to receive from the government 
(especially DHS) or from other companies when you are making decisions re- 
lated to what cyber security you need. When responding to an attack or an in- 
cident? 

• What information have you been asked for by DHS that you feel uncomfortable 
providing and why? 

• What are the principal barriers to information sharing: Are changes in the leg- 
islation or regulations needed to overcome these barriers? 

A3. DHS should strive to provide specific information regarding pending threats, 
likely attacks, and recommended response plans where possible. Although under- 
standing this is not always feasible, it is necessary to have an ongoing, two-way dia- 
logue with critical infrastructure sectors on the current threat environment, likely 
trends, and potential mitigation options. 
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We believe DHS has established programs, such as PCII, and continues to revise 
theses programs as necessary to enable the effective sharing of information from the 
private sector to DHS. However, we believe DHS and the private sector communica- 
tions need to be protected in both directions to enable dialogue on highly sensitive 
areas. PCII only protects information we submit, it does not promote reverse shar- 
ing. An additional concern is the growing number of requests from federal agencies 
outside DHS and State agencies for security and proprietary sensitive information 
that could otherwise be protected as PCII. If requested under broad authority grant- 
ed by various laws and statutes, the information would be considered “independ- 
ently obtained,” and would not be protected under existing DHS programs. 

Further, even programs within DHS, such as protection of SSI, are not consistent 
with PCII and do not offer equivalent protections. Efforts must be taken to har- 
monize the protection of information within DHS and across all governmental agen- 
cies to ensure that critical security information is not compromised and that devel- 
opment of important security information and sharing of such information is encour- 
aged. We believe that DHS should be empowered as the central agency responsible 
for the protection of security sensitive and proprietary sensitive information. Redun- 
dant requests from other agencies should be limited, and if information sharing is 
required across federal, state and local agencies, it must have the same level of pro- 
tections provided by PCII. 

Q4. Responding to Cyber attacks 

• If the information systems of a critical infrastructure company were attacked 
today, is the U.S. prepared to detect the attack and repel it or repair the sys- 
tems quickly? 

• What about if it were an attack on the Internet? 

• What role can and should DHS and other public and private organizations 
play in these response activities? 

• What are the barriers to DHS, companies or other organizations providing a 
quick, effective and coordinated response? 

A4. The U.S. must be prepared to address high consequence cyber attacks to our 
nation’s critical information and communications infrastructure. Research and de- 
velopment efforts need to be focused on how best to anticipate and model, detect, 
defend, and respond to significant interruptions to the Internet and communications 
infrastructure. More needs to be done to focus attention on these high risk con- 
cerns — ensuring adequate planning, resources, and management structure are in 
place to respond to these high-risk scenarios. Less engagement in security and reli- 
ability solutions is needed as this is being addressed by marketplace forces. 


Questions submitted by Representative Eddie Bernice Johnson 

Ql. What is the Department of Homeland Security doing to foster greater private sec- 
tor efforts in cyber security and what could the agency do that it is not doing 
now? 

Al. DHS is currently initiating a number of projects they believe will increase cyber 
security in the private sector. However, these efforts are not well coordinated with 
the private sector and appear to lack coordination within the agency itself. A char- 
tered engagement with the Chemical Sector’s Security Program is needed to under- 
stand and address the highest areas of risk to our country as it relates to the chem- 
ical sector. 

Q2. Are effective practices, procedures, and technologies now available to guard 
against the adverse impacts of cyberspace vulnerabilities? Are there short- 
comings for particular critical infrastructure areas? 

A2. Speaking for the chemical industry, we have established the Chemical Sector 
Cyber Security Program to create guidance and reference procedures as well as best 
practices across our industry. For over three years, this program has actively en- 
gaged to educate large and small chemical companies and to build guidance into in- 
dustry programs such as the Responsible Care Security Code. 

Although technology is improving, the current approach of releasing software and 
infrastructure with security vulnerabilities that requires patching later must be ad- 
dressed. Information technology providers must more thoroughly test their products 
for existing security threats and apply necessa^ protections against anticipated fu- 
ture threats. The market appears to be working — incenting companies to provide 
much more secure software and systems. However, if this trend does not continue, 
government intervention may be needed to ensure information technology is fully 
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developed and secured before being released into the marketplace. Companies have 
the financial capability to address this, and government sponsored R&D should not 
be required. 
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Answers to Post-Hearing Questions 

Responses by Gerald S. Freese, Director of Enterprise Information Security, American 
Electric Power 


Questions submitted by Chairman Sherwood L. Boehlert 

Ql. Measuring Cyber Security 

Qla. How do you measure your company’s cyber security 1 

Ala. Measurement is most effective against a backdrop consisting of a security pol- 
icy and standards. Measurement is accomplished in several ways, depending on the 
intended focus: 

• Compliance with internal security standards — measured against metrics de- 
rived from self-imposed security requirements (based on business drivers and 
best practices). 

• Compliance with regulatory requirements — measured against externally gen- 
erated security mandates (Sarbanes Oxley, HIPAA, FERC, GLB, etc.). 

• Penetration testing — Tests technical security architecture for vulnerabilities. 
Provides multiple levels of security gap determinations and direction for re- 
mediation. 

Qlb. How do you determine if your company’s level of cyber vulnerability is being 
reduced^ 

Alb. Using periodic scanning of networks, servers and workstation for known 
vulnerabilities; ongoing compliance checks determine levels of compliance with 
standards. Compliance checks rely on the use of technical and process metrics devel- 
oped through best practices or regulatory requirements. 

Qlc. How do you decide what is secure enough? 

Ale. “Secure enough” is determined through analysis of several variables; these are 
risk to business systems, regulatory requirements and the level of security imple- 
mented in the technical architecture. 

Qld. How should DHS determine if the Nation is making progress? 

Aid. DHS must continue to work toward comprehensive information sharing with 
critical infrastructure industries. The NIPP is an excellent start toward greater co- 
operation but the PCII program needs to be fully implemented and socialized to be 
effective. 

Qle. Are government mandates needed to increase the progress and get to “secure 
enough?” 

Ale. Critical infrastructure industries do not want government mandates to in- 
crease security. Unfortunately, there is no way for the government to effectively 
help protect critical infrastructure if its components do not have some consistency 
in the level of risk-based protection they have in place. I feel that at some point 
in the future, government will step in and establish federal requirements. Hopefully 
they will do it with full industry collaboration. 

Q2. Business Case for Cyber Security 

Q2a. Within your company, how do you make the business case for the costs associ- 
ated with more secure information technology products? 

A2a. In several ways: Regulatory or legislative requirements; Risk identiheation 
and mitigation; Cultivating strong executive support for Cl protection. 

Q2b. What can the Federal Government do to help make this case? 

A2b. The government can provide more pertinent, substantiated threat information. 
They can also design hnancial assistance for selected protective measures. These 
would have to be accomplished with extensive collaboration with the private sector. 

Q3. Information Sharing 

Q3a. What information would you find most helpful to receive from the government 
(especially DHS) or from other companies when you are making decisions re- 
lated to what cyber security you need? When responding to an attack or an inci- 
dent? 
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A3a. In question two, we discussed that there is a need for more pertinent and sub- 
stantiated threat information from the government. When responding to an attack 
or incident, government sources, outside of some law enforcement liaison, will prob- 
ably be less timely than commercial enterprises specializing in early warning and 
incident response measures. Attacks or exploits, however, are threats come to fru- 
ition. Initial government involvement in early warning and threat analysis would 
go a long way toward better prevention or deflection of these exploits. 

Q3b. What information have you been asked for by DHS that you feel uncomfortable 
providing? Why? What are the barriers to information sharing? Are changes in 
legislation or regulations needed to overcome these barriers? 

A3b. On numerous occasions, federal and State DHS authorities have asked us for 
information on our critical assets and on the protective measures (physical and 
cyber) surrounding them. Without the PCII program in place, we are very reluctant 
to provide that data, and have repeatedly declined their requests. We cannot be sure 
under the current situation of only partial implementation of the PCII program who 
will have access to that data. Once PCII is fully established and implemented, we 
will revisit information sharing and support the effort. We are committed to doing 
all we can to help the government protect our nation’s critical infrastructure. 

Q4. Responding to Cyber Attacks 

Q4a. If the information systems of a critical infrastructure company were attacked 
today, is the U.S. prepared to detect the attack and reel it or repair the systems 
quickly? 

A4a. While there are many companies that have successfully repelled one or more 
major cyber attacks, many more have not and a good number could not. Those that 
have the security technology and mature incident response programs are usually 
well equipped to handle both directed and general cyber attacks. Those that have 
few technical solutions in place or that have poorly defined incident response proce- 
dures are often victims of even the most well-known and preventable threats. So the 
answer to this question must be qualified with an “it depends on who is attacked” 
caveat. Overall as a country I believe we are not well equipped to repel such at- 
tacks. 

Q4b. What about if the attack were on the Internet? 

A4b. If attacks are recognized quickly (very likely) and there are preventive meas- 
ures already in place and properly configured, responses after a major Internet at- 
tack can probably effectively thwart attackers. These measures range from network 
and system processes to equipment/communication redundancy. 

Q4c. What role can and should DHS and other public and private organizations 
play in these response activities? 

A4c. DHS should be providing the most up to date threat data available, along with 
analysis of potential and actual cyber threats. In addition, they should provide 
awareness information to companies that is substantive, citing examples of attacks, 
providing recommended solutions and adding real value to the knowledge base. To 
make this more meaningful, DHS might want to make this a collaborative effort 
with commercial companies that already have a large critical infrastructure cus- 
tomer base. 

Q4d. What are the barriers to DHS companies or other organizations providing a 
quick, effective and coordinated response? 

A4d. I can’t speak for other companies, but regarding DHS, it needs to staff its 
ranks with true cyber security experts and be willing to pay the costs of their exper- 
tise. This does not mean hiring the standard group of government contractors. It 
means recruiting individuals from the commercial world that have industry credi- 
bility, can offer real knowledge and experience and feel that protecting critical infra- 
structure is a vital mission for our national security. 

Q4e. What is DHS doing to foster greater private sector efforts in cyber security, and 
what could the agency do that it is not doing now? 

A4e. DHS seems to be addressing most of the right areas as evidenced by the NIPP 
draft. They are also increasing involvement in industry groups, making sure their 
message is being effectively communicating. What they could add is accurate threat 
data and greater awareness of the impact that cyber attacks can have on the infra- 
structure and economy. 
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Q4f. Are effective practices, procedures and technologies now available to guard 
against the adverse impacts of cyberspace vulnerabilities^ Are there short- 
comings for particular critical infrastructure areas? 

A4f. Currently there are effective practices, procedures and technologies available. 
And they will keep improving. The problem is that these are not used consistently 
across all infrastructure organizations. Unfortunately, with cyber security we’re still 
only as strong as our weakest link. 
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Answers to Post-Hearing Questions 
Responses by Andrew M. Geisse, Chief Information Officer, SBC Services, Inc. 

Questions submitted by Chairman Sherwood L. Boehlert 

Ql. Measuring Cyber Security 

How do you measure your company’s cyber security'^ How do you determine if 
your company’s level of cyber vulnerability is being reduced? How do you decide 
what is “secure enough”? Are there specific metrics you use in evaluating the 
cyber security of your company? How should the Department of Homeland Secu- 
rity (DHS) determine if the Nation is making progress? Are government man- 
dates needed to increase the progress to get to “secure enough”? 

Al. There is no single metric or measurement that suffices to describe a company’s 
cyber security readiness. SBC proactively determines the cyber security readiness 
of its environment through the use of internal and external audit reviews, secure 
system management compliance, application security compliance, routine scans to 
identify vulnerabilities, and periodic component review within the infrastructure. In 
addition, an annual assessment of deployed security solutions is conducted based 
upon new or changing requirements and conditions. SBC also has a team of IT Se- 
curity professionals dedicated to the protection of its internal cyber resources. A key 
metric for SBC is the number of attempted and investigated intrusions within the 
environment and the corrective actions taken to address them. 

As a way to measure private companies’ progress towards cyber security, the De- 
partment of Homeland Security could use publicly reported information, such as an- 
nual Sarbanes-Oxley disclosure reports. 

Government mandates should not be necessary. The DHS could focus on cyber se- 
curity best practices and standards. Also helpful would be tools so companies could 
measure their compliance towards those best practices. 

Q2. Business Case for Cyber Security 

Within your company, how do you make the business case for the costs associ- 
ated with more secure information technology products? What can the Federal 
Government do to help you make this case and make investment in cyber secu- 
rity more attractive? 

A2. SBC well understands the need for cyber security, within the company infra- 
structure and as a service we can provide to users of our data products. Business 
cases to support cyber security preparedness to protect internal cyber resources 
must clearly define the risks to the business, the security tools needed and processes 
required, and then should be evaluated based on needs of the business. Most often, 
business cases supporting cyber security are developed because of new business op- 
portunities, changing cyher technologies, new identified vulnerabilities, growth of 
our environment, or new legislative requirements. 

Awareness of cyber security to the public can show a positive impact to businesses 
that help support cyber infrastructure (i.e., Internet). The more people understand 
virus protection, anti-spam tools, identity theft protection, and phishing risks, the 
better the Internet-connected community and services can perform on their behalf. 
Government education programs that could also be used within businesses would 
help defray internal education costs. 

Q3. Information Sharing 

Q3a. What information would you find most helpful to receive from the government 
(especially DHS) or from other companies when you are making decisions re- 
lated to what cyber security you need? When responding to an attack or inci- 
dent? 

A3a. SBC would find it helpful if information from the DHS includes: current cyber 
vulnerabilities, attack methods, and attack sources. The most current information 
helps us prepare strategies to deal with new sources of attack and new methods of 
attack. The same can be said when responding to an incident. Understanding how 
an attack may occur and from where allows SBC to better prepare defenses that 
could block specific protocols or specific IP addresses. 

Q3b. What information have you been asked for by DHS that you feel uncomfortable 
providing? Why? 

A3b. Information that SBC has been asked to share that has made us uncomfort- 
able includes items that we consider private within the company and restricted to 
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only employees with a need to know. Examples include our private address spaces, 
server specifics (numbers, types, versions, and locations), vendors used and security 
infrastructure components. Typically, we are uncomfortable with sharing informa- 
tion that could be used to allow specific, targeted attacks against SBC. We also have 
an expectation from and an obligation to our customers to keep their information 
private and secure. Release of customer information to law enforcement should al- 
ways follow the same strict protocol as any other subpoenaed information. 

Q3c. What are the principal barriers to information sharing? Are changes in legisla- 
tion or regulations needed to overcome these barriers? 

A3c. It has been our experience that the principal barriers to information sharing 
between companies are; competition within an industry, potential negative public 
perception if cyber security intrusions occur, and the FOIA or other disclosure acts 
requiring federal agencies to disclose meeting proceedings or information provided. 

Q4. Responding to Cyber Attacks 

If the information systems of a critical infrastructure company were attacked 
today, is the U.S. prepared to detect the attack and repel it or repair the systems 
quickly? What about if it were an attack on the Internet? What role can and 
should DHS and other public and private organizations play in these response 
activities? What are the barriers to DHS, companies, or other organizations pro- 
viding a quick and effective and coordinated response? 

A4. I believe most large companies, especially those within the critical infrastruc- 
ture, understand cyber security is a part of doing business within our Internet-con- 
nected world, today, and have taken precautionary measures to detect and protect 
against attacks. 

The Internet itself is constantly attacked. The Internet, by definition, is a network 
of networks, and, as such, Internet service providers have an ability to segment por- 
tions of the network to prevent rampant abuse, if necessary. 

Communications is the chief barrier to DHS’ ability to coordinate a rapid and co- 
ordinated response to Internet problems. To provide a coordinated response, the 
DHS needs the ability to contact key Internet providers to focus on the immediate 
attack. This is not unlike the telecommunications requirement to have a National 
Security Emergency Preparedness (NSEP) organization which focuses on national 
telco events. 

Questions submitted by Representative Eddie Bernice Johnson 

Ql. What is the Department of Homeland Security doing to foster greater private sec- 
tor efforts in cyber security, and what could the agency do that it is not doing 
now? 

Al. SBC maintains close ties to government agencies responsible for national secu- 
rity. We work closely with them on a daily basis to receive and share security re- 
lated information. The DHS is encouraged to continue to support the efforts of the 
following: the National Security Telecommunications Advisory Council (NSTAC), 
National Coordinating Center Telecom Information Sharing and Analysis Center 
(NCC Telecom ISAC), FBI’s Infragard, and the National Security Information Ex- 
change (NSIE). 

DHS support of public awareness and education programs focused on cyber secu- 
rity would be a pro-active effort to help companies and the public be more aware 
of cyber security and the role they play to protect themselves. 

Q2. Are effective practices, procedures, and technologies now available to guard 
against the adverse impacts of cyberspace vulnerabilities? Are there short- 
comings for particular critical infrastructure areas? 

A2. SBC utilizes security technologies and practices to guard against adverse cyber 
security vulnerabilities. We believe security tools and practices exist for industries 
to protect themselves. Our challenge is addressing new vulnerabilities as they ap- 
pear. This requires technologies and processes to continuously react to the ever- 
changing environment. Consumers and industry must continue to hold vendors ac- 
countable and to focus their efforts on providing products and tools to meet cyber 
security best practices. Vendors need to recognize that cyber security is an adminis- 
trative intensive effort and tools are needed to relieve this pressure. 



